16

In a Ruby on Rails 4 application I'm working on, I need to make a page that will be pulled into an iframe hosted on the foo.bar.com server, so I have this controller method:

def iframed_page
  response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://foo.bar.com"
end

..and now it turns out that the client wants me to also whitelist http://foo.dev.bar.com as well.

I know that for setting X-FRAME-OPTIONS, the "ALLOW-FROM" option doesn't allow for multiple subdomains. But since this is the same root domain with different subdomains, would it be a little more flexible? For example, could I do something like 

response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://*.bar.com"

as well?

Substantial
  • 6,684
  • 2
  • 31
  • 40
drumwolf
  • 399
  • 1
  • 4
  • 16
  • 1
    possible duplicate of [X-Frame-Options Allow-From multiple domains](http://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains) – deefour Nov 04 '14 at 22:14
  • 1
    I read that question, thank you very much. It doesn't explain anything about Ruby on Rails, or what to do if you have two different subdomains of the same root domain. – drumwolf Nov 04 '14 at 22:22
  • 1
    I'm not trying to be argumentative when I say: your question isn't really Rails-specific, and the question/answer linked above does provide information on a wildcard prefix using `Content-Security-Policy`. Regardless, it seems `X-FRAME-OPTIONS` may not be the most forward-looking choice. – deefour Nov 04 '14 at 22:27
  • The question linked above makes it clear that `Content-Security-Policy` doesn't work in all browsers and that the relevant directive `frame-ancestors` only works in Chrome and Firefox. Also that answer's statements about `X-FRAME-OPTIONS` are out of date as well. – fzzfzzfzz Dec 04 '15 at 17:44

1 Answers1

20

You can use the Content-Security-Policy header instead, but it doesn't work on everything.

response.headers["X-Content-Security-Policy"] = "frame-ancestors http://*.bar.com";
response.headers["Content-Security-Policy"] = "frame-ancestors http://*.bar.com";
  • Content-Security-Policy will override X-Frame-Options on modern browsers
  • X-Content-Security-Policy will override X-Frame-Options on IE11
Andrew Carreiro
  • 1,577
  • 13
  • 17
  • 4
    `frame-ancestors` is part of CSP version 2, which is [currently not supported](http://caniuse.com/#feat=contentsecuritypolicy2) in Internet Explorer or Edge. – Sjoerd Jul 20 '16 at 11:53
  • 1
    Note that frame-ancestors will not take priority in firefox, see this bug https://bugzilla.mozilla.org/show_bug.cgi?id=1024557 and upvote it to try get this fixed. – MicWit Feb 21 '17 at 22:08
  • 1
    Per https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP: _"sometimes you will see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore"_ – Madbreaks May 23 '17 at 18:39
  • Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers. - source: https://content-security-policy.com/ – Pak Apr 03 '20 at 10:16