参考:阿里移动安全
原则:
- 1.https下iframe无法嵌套http页面
- 2.https下允许嵌套https页面,除了:
a.被嵌套网站设置了frame-ancestors: null [or self]
b.被嵌套网站设置了X-Frame-Options: deny
相关报错信息
Refused to display 'https://github.com/' in a frame because
an ancestor violates the following Content Security Policy
directive: "frame-ancestors 'none'".
Refused to display 'https://www.npmjs.com/' in a frame
because it set 'X-Frame-Options' to 'deny'.