13

I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end

The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?

Community
  • 1
  • 1
Swamy g
  • 2,106
  • 4
  • 23
  • 35
  • Perhaps related: https://groups.google.com/a/chromium.org/forum/?fromgroups#!topic/chromium-bugs/PkrSeB74a38 .. what about FF/IE9, etc? That is, is it only [that version of] Chrome that is affected? –  Jul 17 '12 at 00:08
  • See also http://stackoverflow.com/questions/10658435/x-frame-options-allow-from-in-firefox-and-chrome "The problem is: *it looks like sending ALLOW-FROM domain results in a no-op overall for the latest Firefox and Google Chrome* [whatever version they were at the time]. IE8, at least, seems to be correctly implementing ALLOW-FROM." .. "Yet, the frame still displays content." –  Jul 17 '12 at 00:11
  • I did check those two links prior to posting here. Regarding the first link, I thought that was it, but I checked on Firefox and Safari and both seem to be allowing from all, so not sure if it's chrome specific. – Swamy g Jul 17 '12 at 16:34
  • **Possible duplicate: **.
    Or, quoting the answer:
    ALLOW-FROM is not supported in Chrome or Safari. See: https://developer.mozilla.org/en- US/docs/HTTP/X-Frame-Options *By the way: I don't adding the Ruby on rails tag was a good idea. This is obviously not Ruby on rails failing.*     –  Apr 30 '13 at 15:01

1 Answers1

1

For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:

response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"
Michael Lawrie
  • 1,534
  • 11
  • 20