Menu
I am using Sinatra to return some IFRAME contents, and I'd like to allow cross-domain src. Unfortunately, Sinatra is automatically adding an X-Frame-Options header to my response. How do I turn that off?
792
In the feature list in the middle, double-click the HTTP Response Headers icon. In the list of headers that appears, select X-Frame-Options. Click Remove in the Actions pane on the right side.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> , <embed> or <object> . Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
Sinatra uses Rack::Protection, in particular the frame_options option, which is what is setting the X-Frame-Options header.
You can configure which protections are used. Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn't enable some by default).
To prevent sending the X-Frame-Options header you need to disable frame_options like this:
set :protection, :except => :frame_options If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
