Cannot display my rails 4 app in iframe even if 'X-Frame-Options' is 'ALLOWALL'

Question

I am trying to test a responsive design. I am using Rails 4. I know it sets \'X-Frame-Options\' to SAME ORIGIN. So I overrided it in development.rb using

co         


        

Answer 1

I just wanted to give an updated answer here on dealing with embedding a Rails app in an iframe.

Its not a great idea to simply delete X-Frame-Options headers without having some other kind of security enforced to prevent against Clickjacking (which is the vulnerability X-Frame-Options is largely trying to protect you from).

The problem is that the X-Frame-Options 'ALLOW-FROM' option is not accepted on most major browsers anymore.

As of writing this, May 28th 2020, the best solution for preventing Clickjacking and hosting your app in an iframe is to implement a Content-Security-Policy and set a 'frame_ancestors' policy. The 'frame_ancestors' key designates what domains can embed your app as an iframe. Its currently supported by major browsers and overrides your X-Frame-Options.

You can set up a Content-Security-Policy with Rails 5.2 in an initializer (example below), and for Rails < 5.2 you can use a gem like the Secure Headers gem: https://github.com/github/secure_headers

You can also override the policy specifications on a controller/action basis if you'd like.

Content-Security-Policies are great for advanced security protections. Check out all the things you can configure in the Rails docs: https://edgeguides.rubyonrails.org/security.html

A Rails 5.2 example for a Content-Security-Policy:

# config/initializers/content_security_policy.rb    
Rails.application.config.content_security_policy do |policy|
  policy.frame_ancestors :self, 'some_website_that_embeds_your_app.com'
end

An example of a controller specific change to a policy:

# Override policy inline
class PostsController < ApplicationController
  content_security_policy do |p|
    p.frame_ancestors :self, 'some_other_website_that_can_embed_posts.com'
  end
end