Last Updated: September 29, 2021
·
48.62K
· rbmrclo

Rails 4: Allow your site to be iframed by another site.

In Rails 4, the X-Frame-Options HTTP header value has been set by default as SAMEORIGIN (show source), this allows iframing only on the same domain and prevents clickjacking which is good for security.

In some cases, you want to simply change the header to explicitly allow content being loaded cross domain and you can do this by setting the X-Frame-Options as 'ALLOWALL'.

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'ALLOWALL'
}

Bonus:
If you want to enable cross domain access from a specific site, you can set the header in a particular action in your controller.

class DummyController < ApplicationController
  def embeddable_action
    response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://robbiemarcelo.com"
    # render or do something
  end
end

2 Responses
Add your response

Great, works a treat thanks

over 1 year ago ·

@lokeshjain2008
Allow-from is not supported by chrome and safari. I guess you were trying from either of those. It should be working from Firefox. I'd like to stretch it up a bit by saying that it does not working in browsers that use Webkit as it's engine. (Chrome uses WebCore, which is a fork of Webkit) but that's just my guess.

over 1 year ago ·