Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?

In a Ruby on Rails 4 application I'm working on, I need to make a page that will be pulled into an iframe hosted on the foo.bar.com server, so I have this controller method:

def iframed_page
  response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://foo.bar.com"
end

..and now it turns out that the client wants me to also whitelist http://foo.dev.bar.com as well.

I know that for setting X-FRAME-OPTIONS, the "ALLOW-FROM" option doesn't allow for multiple subdomains. But since this is the same root domain with different subdomains, would it be a little more flexible? For example, could I do something like

response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://*.bar.com"

as well?

like image 448
drumwolf Avatar asked Nov 04 '14 21:11

drumwolf


1 Answers

You can use the Content-Security-Policy header instead, but it doesn't work on everything.

response.headers["X-Content-Security-Policy"] = "frame-ancestors http://*.bar.com";
response.headers["Content-Security-Policy"] = "frame-ancestors http://*.bar.com";
  • Content-Security-Policy will override X-Frame-Options on modern browsers
  • X-Content-Security-Policy will override X-Frame-Options on IE11
like image 54
Andrew Carreiro Avatar answered Oct 02 '22 02:10

Andrew Carreiro