X-Frame-Option configuration not working in Rails

Question

I have made X-Frame-Option as SameOrigin. But Still I can able to render the same document in IFrame from different origin.

score 0 · Answer 1 · answered Oct 05 '19 at 22:19

0

a lack of informations about project, versions etc..

Please provide some code example

Anyway did you try rack-cors ?

answered Oct 05 '19 at 22:19

m1l05z

368
1
6
17

score 0 · Answer 2 · answered Oct 05 '19 at 22:59

First, the correct header name is X-Frame-Options and not X-Frame-Option

Please read the Security#default-headers to understand how to change the defaults headers, the X-Frame-Options including.

Given you want to change the X-Frame-Options by in a controller, you can use something like:

class MyAwesomeController < ApplicationController
  def show
    response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://mysite"
  end
end

After all, take a time to read about X-FRAME-OPTIONS vs Frame-Ancestors, X-FRAME-OPTIONS seems deprecated in some browsers. A good read can start in this discussion X-Frame-Options Allow-From multiple domains

X-Frame-Option configuration not working in Rails

2 Answers2