Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'

使用iframe嵌入网页，浏览器报错：Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'。
这是SpringSecurity 防止恶意注入，所以设置了 X-Frame-Options 为deny，网上看到是 加入 httpSecurity.headers().frameOptions().disable();

如：https://blog.csdn.net/a494567309/article/details/80348557

但是我是在 spring-security.xml 配置，所以不用这种，在spring-security.xml 添加<security:headers disabled="true"/>

整个 spring-security.xml配置如下

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">

    <!-- 配置不拦截的资源 -->
    <security:http pattern="/login.jsp" security="none"/>
    <security:http pattern="/css/**" security="none"/>
    <security:http pattern="/img/**" security="none"/>
    <security:http pattern="/js/**" security="none"/>
    <security:http pattern="/plugins/**" security="none"/>
    <!--
    	配置具体的规则
    	auto-config="true"	不用自己编写登录的页面，框架提供默认登录页面
    	use-expressions="false"	是否使用SPEL表达式
    -->
    <security:http auto-config="true" use-expressions="true">
        <!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人，必须有ROLE_USER或者ROLE_ADMIN的角色" -->
        <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>

        <!-- 定义跳转的具体的页面 -->
        <security:form-login
                login-page="/login.jsp"
                login-processing-url="/login.do"
                default-target-url="/index.jsp"
                authentication-failure-handler-ref="authenticationFailureHandler"
                authentication-success-handler-ref="authenticationSuccessHandler"
        />

        <!-- 关闭跨域请求 -->
        <security:csrf disabled="true"/>
        <!-- 退出 -->
        <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp"/>

        <!-- Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'. 如果用iframe提示这个，设置为true-->
        <security:headers disabled="true"/>
    </security:http>

    <!-- 切换成数据库中的用户名和密码 -->
    <security:authentication-manager>
        <security:authentication-provider ref="authenticationProvider"/>
    </security:authentication-manager>

    <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="managerService" />
        <!-- 是否隐藏用户没有找到的异常,默认为true ; 这里返回用户不存在 -->
        <property name="hideUserNotFoundExceptions" value="false" />
        <!-- 配置加密的方式-->
        <property name="passwordEncoder" ref="passwordEncoder" />
    </bean>

    <!-- 配置加密类 -->
    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <bean id="authenticationFailureHandler" class="com.handler.AuthenticationFailureHandler"/>
    <bean id="authenticationSuccessHandler" class="com.handler.AuthenticationSuccessHandler"/>
</beans>

重启就行了