2d0phq
Last Updated: November 30, 2016
·
14.85K
· rbmrclo
2fe1468f365b2c131b38e87aa4acb601

Rails 4: Allow your site to be iframed by another site.

In Rails 4, the X-Frame-Options HTTP header value has been set by default as SAMEORIGIN (show source), this allows iframing only on the same domain and prevents clickjacking which is good for security.

In some cases, you want to simply change the header to explicitly allow content being loaded cross domain and you can do this by setting the X-Frame-Options as 'ALLOWALL'.

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'ALLOWALL'
}

Bonus:
If you want to enable cross domain access from a specific site, you can set the header in a particular action in your controller.

class DummyController < ApplicationController
  def embeddable_action
    response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://robbiemarcelo.com"
    # render or do something
  end
end
Say Thanks
Respond

3 Responses
Add your response

16852
00f944c3b22c3c823edf25f36a65a606

Thanks you very much. I was searching for this since a long time. I have one websites that i want to be accessed from 4 different website. How to achieve that ? how to write to allow framing framing from some domains only.

over 1 year ago ·
16853
00f944c3b22c3c823edf25f36a65a606

I am working on 'www.banjare.in' and we have one domain as 'eatkit.in' and i created masked redirection. so i added allow-from as you said in the article to the application.rb.

Allow from eatkit.in

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'ALLOW-FROM http://eatkit.in'
} 

But i got the following errors in the Chrome Console.
Invalid 'X-Frame-Options' header encountered when loading 'http://www.banjare.in/restaurants': 'ALLOW-FROM http://eatkit.in' is not a recognized directive. The header will be ignored.

over 1 year ago ·
28351

Great, works a treat thanks

9 months ago ·