Last Updated: November 30, 2016
· rbmrclo

Rails 4: Allow your site to be iframed by another site.

In Rails 4, the X-Frame-Options HTTP header value has been set by default as SAMEORIGIN (show source), this allows iframing only on the same domain and prevents clickjacking which is good for security.

In some cases, you want to simply change the header to explicitly allow content being loaded cross domain and you can do this by setting the X-Frame-Options as 'ALLOWALL'.

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'ALLOWALL'

If you want to enable cross domain access from a specific site, you can set the header in a particular action in your controller.

class DummyController < ApplicationController
  def embeddable_action
    response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://robbiemarcelo.com"
    # render or do something
Say Thanks

3 Responses
Add your response


Thanks you very much. I was searching for this since a long time. I have one websites that i want to be accessed from 4 different website. How to achieve that ? how to write to allow framing framing from some domains only.

over 1 year ago ·

I am working on 'www.banjare.in' and we have one domain as 'eatkit.in' and i created masked redirection. so i added allow-from as you said in the article to the application.rb.

Allow from eatkit.in

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'ALLOW-FROM http://eatkit.in'

But i got the following errors in the Chrome Console.
Invalid 'X-Frame-Options' header encountered when loading 'http://www.banjare.in/restaurants': 'ALLOW-FROM http://eatkit.in' is not a recognized directive. The header will be ignored.

over 1 year ago ·

Great, works a treat thanks

9 months ago ·