SSL、自定义 TLD、Crossdomain.xml 和 Adsense。他们能打得好吗?
Posted
技术标签:
【中文标题】SSL、自定义 TLD、Crossdomain.xml 和 Adsense。他们能打得好吗?【英文标题】:SSL, Custom TLD's, Crossdomain.xml and Adsense. Can they play nicely? 【发布时间】:2015-01-07 14:54:48 【问题描述】:我正在开发一个正在使用 Adsense 的新网站。它是https://viewing.nyc,并且是一项正在进行中的工作。我已经在网站上展示了一些 adsense 广告,它们可以工作——从某种意义上说,它们实际上展示了广告——但它们在 Safari 控制台中输出了大量垃圾。
我经常看到的消息是经典:
Blocked a frame with origin "https://googleads.g.doubleclick.net" from accessing a frame with origin "https://viewing.nyc". Protocols, domains, and ports must match.
所以,我在这里和那里玩了几天,搜索解决方案并试图了解如何解决它。我用以下内容实现了一个crossdomain.xml 文件:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/crossdomain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.youtube.com" secure="false"/>
<allow-access-from domain="*.doubleclick.net" secure="false"/>
<allow-access-from domain="*.2mdn.net" secure="false"/>
<allow-access-from domain="*.dartmotif.net" secure="false"/>
<allow-access-from domain="*.doubleclick.net" secure="true"/>
<allow-access-from domain="*.doubleclick.com" secure="true"/>
<allow-access-from domain="*.doubleclick.com" secure="false"/>
<allow-access-from domain="*.2mdn.net" secure="true"/>
<allow-access-from domain="*.dartmotif.net" secure="true"/>
<allow-access-from domain="*.gstatic.com" secure="false"/>
</cross-domain-policy>
但没有成功。问题是否源于我拥有.nyc ***域和拥有.com 的adsense 网站?有没有办法解决这些错误?
【问题讨论】:
【参考方案1】:您的网站输出以下标题。
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
X-Request-Id: 86d0d6f2-eba5-46b2-b6cf-9ce77fc1f16e
X-Download-Options: noopen
X-Runtime: 0.955425
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self' viewing.nyc *.viewing.nyc cdn.jsdelivr.net csi.gstatic.com pagead2.googlesyndication.com; font-src 'self' viewing.nyc *.viewing.nyc *.viewingnyc.dev fonts.gstatic.com data:; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https:; img-src 'self' viewing.nyc *.viewing.nyc *.viewingnyc.dev s3.amazonaws.com pagead2.googlesyndication.com *.amazon-adsystem.com *.ssl-images-amazon.com *.media-amazon.com *.assoc-amazon.com *.twimg.com *.twitter.com *.instagram.com *.facebook.com data:; manifest-src 'self'; media-src utoob.com; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' viewing.nyc *.viewing.nyc *.viewingnyc.dev *.googletagservices.com *.googleadservices.com *.googlesyndication.com adservice.google.com googleads.g.doubleclick.net *.amazon-adsystem.com *.twimg.com *.twitter.com *.instagram.com *.facebook.com *.facebook.net gleam.io js.gleam.io lightwidget.com *.lightwidget.com; style-src 'self' 'unsafe-inline' viewing.nyc *.viewing.nyc *.viewingnyc.dev *.twitter.com *.instagram.com *.facebook.com fonts.googleapis.com gleam.io *.gleam.io; upgrade-insecure-requests
我会建议您删除 Content-Security-Policy 标头和 X-Permitted-Cross-Domain-Policies 标头。如果您希望 AdSense 正常运行,还要删除 crossdomain.xml。
这不是一个理想的解决方案,但 Google 没有给出 Content-Security-Policy 允许域的列表,它每天都在变化,所以现在最好避免使用这些标头。
【讨论】:
以上是关于SSL、自定义 TLD、Crossdomain.xml 和 Adsense。他们能打得好吗?的主要内容,如果未能解决你的问题,请参考以下文章