Last Updated: February 25, 2016
·
4.804K
· tmilewski

Rails 4 Facebook Applications

#ruby
#rails
#xss
#facebook
#iframe
#headers
#rails4
#x-frame-options

[Read: Rails 4 iframe-based applications]

Rails 4 goes above and beyond to fix its "insecure defaults". Among these fixes are changes to the default headers included in responses. These new headers will cause you to run into problems when creating Facebook applications (or any application which will live inside an iframe).

The new headers in question:

# actionpack/lib/action_dispatch/railtie.rb (L20)
config.action_dispatch.default_headers = {
  'X-Frame-Options' => 'SAMEORIGIN',
  'X-XSS-Protection' => '1; mode=block',
  'X-Content-Type-Options' => 'nosniff'
}

The new "X-Frame-Options" header only allows for iframe requests where the parent window is on the same domain. This obviously causes issues as the parent window for a Facebook application is "apps.facebook.com".

There are a few ways to fix this floating around on the web but I've experienced issues with all of them. I've found that the simplest and most-effective way to fix the issue is to simply remove the header altogether.

Simply override the default headers by removing "X-Frame-Options" in your config/application.rb:

# config/application.rb
config.action_dispatch.default_headers = {
  'X-XSS-Protection' => '1; mode=block',
  'X-Content-Type-Options' => 'nosniff'
}

If you have a more effective way, please let me know.

Good luck!

#ruby
#rails
#xss
#facebook
#iframe
#headers
#rails4
#x-frame-options

Written by Tom Milewski

Say Thanks
Respond

Related protips

HTTP Posts in Ruby

164.5K
9

Centered Text And Images In Github Markdown

142.3K
1

Take a photo of yourself every time you commit

111.3K
29

6 Responses
Add your response

jnajera

You can just remove it with:

config.actiondispatch.defaultheaders.clear

Source: https://github.com/aantix/docrails/blob/cb8bcdd9f155348bf8b0e543ddd89a855ec99984/guides/source/security.textile

over 1 year ago ·
Papipo

@jnajera but .clear() would remove all of them, which is a different behaviour.

over 1 year ago ·
tmilewski

@jnajera I have to agree with @Papipo. We don't want to simply remove all of the headers but rather individual ones. Sadly, config.actiondispatch.default_headers.delete('X-Frame-Options') isn't a thing.

over 1 year ago ·
abhishek77in

I have updated my 'config/application.rb' as suggested in the this tip.
But no matter what I do I keep getting this error in my console while trying to do a redirect and the oauth dialog does not appear - 

Refused to display https://www.facebook.com/dialog/oauth?client_id=FACEBOOK_APP_ID&redirect_uri=http://localhost:3000' in a frame because it set 'X-Frame-Options' to 'DENY'.
over 1 year ago ·
abhishek77in

Fixed the issue by doing a Javascipt redirect

<script>
  top.location="https://www.facebook.com/dialog/oauth?client_id=FACEBOOK_APP_ID&redirect_uri=http://apps.facebook.com/app-namespace";
</script>

Looks like facebook does not allow redirect within iframe (and canvas apps are in iframe)

over 1 year ago ·
langalex 
config.action_dispatch.default_headers.delete 'X-Frame-Options'

works for me

over 1 year ago ·

Have a fresh tip? Share with Coderwall community!

Post
Post a tip
Best #Ruby Authors
projectcleverweb
290.4K
#ruby
#javascript
#css
danielwestendorf
164.2K
#ruby
#Javascript
#CoffeeScript
mcansky
140.2K
#ruby
#JavaScript
#Shell
knoopx
112.4K
#ruby
#JavaScript
#CoffeeScript
stevennunez
100.7K
#ruby
#JavaScript
#CoffeeScript
Related Tags
#ruby
#rails
#xss
#facebook
#iframe
#headers
#rails4
#x-frame-options
Sponsored by
#native_company#
#native_desc#
#native_cta#
Filed Under
Ruby Development Tips
Ruby on Rails Development Tips
Awesome Job
See All Jobs
Post a job for only $299
Thanks to our sponsor
Sponsored by #native_company# — Learn More
#native_title# #native_desc#
#native_cta#