Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

X-Frame-Options ALLOW-FROM a specific site allows from all

I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end

The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?

like image 623
Swamy g Avatar asked Jul 16 '12 23:07

Swamy g


1 Answers

For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:

response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"
like image 129
Michael Lawrie Avatar answered Nov 03 '22 09:11

Michael Lawrie