Cannot display my rails 4 app in iframe even if 'X-Frame-Options' is 'ALLOWALL'

Question

I am trying to test a responsive design. I am using Rails 4. I know it sets \'X-Frame-Options\' to SAME ORIGIN. So I overrided it in development.rb using

co         


        

Answer 1

When 'Load denied by X-Frame-Options' using Heroku & Firefox

I had a similar issue where I kept getting this error only on Firefox. I had a PHP web page hosted @ MochaHost serving a Rails app hosted @ Heroku (so RoR app has a page with an iframe which is pointing to the PHP web page and this working on all browsers except on Firefox).

I was able to solve the problem by setting a default header for all of my requests in the specific environment file:

# config/enviroments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOWALL' }

---

Edit (as sheharyar suggested)

Ideally, you shouldn't set a default header and do this only for actions that have to be rendered in an iFrame. If your entire app is being served inside an iFrame, you should explicitly mention the Origin:

# config/enviroments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOW-FROM http://some-origin.com' }