Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to override X-Frame-Options for a controller or action in Rails 4

Tags:

http-headers

ruby-on-rails

iframe

ruby-on-rails-4

x-frame-options

Rails 4 appears to set a default value of SAMEORIGIN for the X-Frame-Options HTTP response header. This is great for security, but it does not allow for parts of your app to be available in an iframe on a different domain.

You can override the value of X-Frame-Options globally using the config.action_dispatch.default_headers setting:

config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://apps.facebook.com"

But how do you override it for just a single controller or action?

like image 477
Chris Peters Avatar asked Aug 26 '13 13:08

Chris Peters

People also ask

Is X-Frame-options deprecated?

X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it has been obsoleted in favour of the frame-ancestors directive from the CSP Level 2 specification.

What is xframe option?

X-Frame-Options allows content publishers to prevent their own content from being used in an invisible frame by attackers. The DENY option is the most secure, preventing any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it does enable the use of frames, but limits them to the current domain.

How do I set X-Frame-options in HTML?

Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.

1 Answers

If you want to remove the header completely, you can create an after_action filter:

class FilesController < ApplicationController   after_action :allow_iframe, only: :embed    def embed   end  private    def allow_iframe     response.headers.except! 'X-Frame-Options'   end end

Or, of course, you can code the after_action to set the value to something different:

class FacebookController < ApplicationController   after_action :allow_facebook_iframe  private    def allow_facebook_iframe     response.headers['X-Frame-Options'] = 'ALLOW-FROM https://apps.facebook.com'   end end

Note that you need to clear your cache in certain browsers (Chrome for me) while debugging this.

like image 142
Chris Peters Avatar answered Oct 21 '22 05:10

Chris Peters
Sign in to Comment

Related questions

Rails 5: how to use $(document).ready() with turbo-links
How can I check if a value is a number?
Bundler: can't find gem bundler (>= 0.a) with executable bundle (Gem::GemNotFoundException) during bundle install with gem
Generate a controller with all the RESTful functions
Syntax to skip creating tests, assets & helpers for `rails generate controller`?
Rails routing to handle multiple domains on single application
How to `bundle install` when your Gemfile requires an older version of bundler?
Rails not decoding JSON from jQuery correctly (array becoming a hash with integer keys)
Rails: How to find_by a field containing a certain string
NameError (uninitialized constant Paperclip::Storage::S3::AWS):
Read contents of a local file into a variable in Rails
Safe navigation equivalent to Rails try for hashes
Why are all Rails helpers available to all views, all the time? Is there a way to disable this?
What's the best way to use SOAP with Ruby?
i18n Pluralization
"gem install therubyracer -v '0.10.2'" on osx mavericks not installing
PG::Error: ERROR: new encoding (UTF8) is incompatible
Rails: Invalid byte sequence in US-ASCII (Argument Error) when I run rake db:seed
Why is Ruby more suitable for Rails than Python? [closed]
AWS OpsWorks vs AWS Beanstalk vs AWS CloudFormation?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!