docs: Add document on overriding X-Frame-Options.

2014-08-11 15:25:26 +08:00 · 2014-08-11 15:25:26 +08:00 · 253789353f
commit 253789353f
parent 73262be2c2
3 changed files with 24 additions and 2 deletions
--- a/docs/api/browser-window.md
+++ b/docs/api/browser-window.md
@ -18,6 +18,9 @@ win.show();
 You can also create a window without chrome by using
 [Frameless Window](frameless-window.md) API.

+Security strategy of web pages showed by `BrowserWindow` is a bit different from
+normal browsers, see [Web Security](web-security.md) for more.
+
 ## Class: BrowserWindow

 `BrowserWindow` is an
--- a/docs/api/web-security.md
+++ b/docs/api/web-security.md
@ -0,0 +1,21 @@
+# Web Security
+
+Because atom-shell has added node integration to normal web pages, there are
+some security adjustments that made atom-shell both more safe and more
+convenient.
+
+## Overriding `X-Frame-Options` header
+
+May websites (including Google and Youtube) use the
+[X-Frame-Options](x-frame-options) header to disable access to their websites
+in `iframe`s. In atom-shell you can add a `disable-x-frame-options` string in
+the `iframe`'s name to disable this:
+
+```html
+<!-- Refused to display -->
+<iframe name="google" src="https://google.com"></iframe>
+<!-- Loads as expected -->
+<iframe name="google-disable-x-frame-options" src="https://google.com"></iframe>
+```
+
+[x-frame-options](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options)