Rails 4: Allow your site to be iframed by another site.
In Rails 4, the X-Frame-Options HTTP header value has been set by default as SAMEORIGIN (show source), this allows iframing only on the same domain and prevents clickjacking which is good for security.
In some cases, you want to simply change the header to explicitly allow content being loaded cross domain and you can do this by setting the X-Frame-Options as 'ALLOWALL'.
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'ALLOWALL'
}Bonus:
If you want to enable cross domain access from a specific site, you can set the header in a particular action in your controller.
class DummyController < ApplicationController
def embeddable_action
response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://robbiemarcelo.com"
# render or do something
end
endWritten by Robbie Marcelo
Related protips
2 Responses
Great, works a treat thanks
@lokeshjain2008
Allow-from is not supported by chrome and safari. I guess you were trying from either of those. It should be working from Firefox. I'd like to stretch it up a bit by saying that it does not working in browsers that use Webkit as it's engine. (Chrome uses WebCore, which is a fork of Webkit) but that's just my guess.
Have a fresh tip? Share with Coderwall community!
