0

I am developing a rails application that clients can embed on their sites using iframes. I am looking for a way to allow only my clients to embed the app. I am familiar with the x-frame options, ie:

response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.example.com"

(from X-Frame-Options ALLOW-FROM a specific site allows from all)

Is there a way to allow a number of sites?

Community
  • 1
  • 1
Jelle
  • 339
  • 1
  • 12
  • It seems you cannot supply more than 1 website for ALLOW-FROM as specified here: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx. Go to that url and search for: `Note that the Allow-From token does not support wildcards or listing of multiple origins`. Take a look here too: http://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains – cristian Jun 05 '14 at 13:37
  • thanks for the link! It actually suggests a design pattern that would answer my question, right below the search that you suggested. But then i need the url of the site that has the iframe. How can i obtain this? – Jelle Jun 05 '14 at 13:40
  • If you can find out the IP addresses you could block all other IPs via your HTTP server – j-dexx Jun 05 '14 at 13:51
  • Thanks for the suggestion. I'm not sure that all my clients have fixed IPs, though. Plus i'm using heroku, and i'm not sure how to block IPs there. – Jelle Jun 05 '14 at 14:09
  • I just found request.headers['Referer']. Is this considered a safe way to establish the identity of the refering site? Or can it be faked easily? – Jelle Jun 05 '14 at 14:10

1 Answers1

-1

ok, Octopus-Paul put me on the right track. I resolved this with the following code in application.rb:

 config.action_dispatch.default_headers = {
   referer =  request.headers['Referer']
   site = 'http://www.example.com' 

   if (referer =~ Regexp.new "\\A#{site}")
    'X-Frame-Options' => 'ALLOWALL'
   else
    'X-Frame-Options' => 'SAMEORIGIN'
   end  
  }

now i just need to scan a list of allowed sites using this code, and i'm done, i guess.

Jelle
  • 339
  • 1
  • 12