发表新帖
发表新帖

How do I get Sinatra to refrain from adding the X-Frame-Options header?

后端 未结
关注
6 1814
南旧
南旧 2020-12-08 04:55

I am using Sinatra to return some IFRAME contents, and I\'d like to allow cross-domain src. Unfortunately, Sinatra is automatically adding an X-Frame-Options header to my re

相关标签:
6条回答
  • 北海茫月
    2020-12-08 05:18

    Neither of the options presented here worked for my sinatra app. I ended up adding an after filter to modify the X-Frame-Options header to allow the app to be framed in by Facebook.

    after do
  headers({ 'X-Frame-Options' => 'ALLOW-FROM apps.facebook.com' })
end
    0 讨论(0)
  • 轻奢々
    2020-12-08 05:23

    The "set :protection, :except => :frame_options" answer did not work for me, using Sinatra-1.3.3

    I had to hack a solution; I put this mutha in my config.ru file. Obvs you can change the header to be anything you want.

    config.ru

    class Rack::Protection::FrameOptions
  def header
    @header ||= {}
  end
end
    0 讨论(0)
  • 无人及你
    2020-12-08 05:24

    Sinatra uses Rack::Protection, in particular the frame_options option, which is what is setting the X-Frame-Options header.

    You can configure which protections are used. Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn't enable some by default).

    To prevent sending the X-Frame-Options header you need to disable frame_options like this:

    set :protection, :except => :frame_options
    0 讨论(0)
  • 轻奢々
    2020-12-08 05:31

    Actually, the solution given by @matt is still working with Sinatra v1.4.5.

    Yes, Sinatra is using Rack::Protection and according to Configuring attack protection

    you could either disable protection at all (which is not recommended):

    disable :protection

    or only disable frame_options:

    set :protection, :except => :frame_options

    Other than that, if your problem is not because of X-Frame-Options, it may be Access-Control-Allow-Origin, then what you have to do is to add below line to your route before the return statement:

    response['Access-Control-Allow-Origin'] = 'http://www.example.com/'
    0 讨论(0)
  • 遥遥无期
    2020-12-08 05:32

    Another solution, and the one I ended up with in production, involves monkey-patching Rack::Protection::FrameOptions:

    # This monkeypatch is needed to ensure the X-Frame-Options header is
# never set by rack-protection.
module Rack
  module Protection
    class FrameOptions < Base
      def call(env)
        status, headers, body = @app.call(env)
        [status, headers, body]
      end
    end
  end
end
    0 讨论(0)
  • 难免孤独
    2020-12-08 05:35

    I think I found a good way to handle this but would welcome feedback

    The goal is to disable the X-Frame-Options just for one route to keep all the rack protection benefits:

        app.get'/hello_world' do
      headers({ 'X-Frame-Options' => '' })
      "HELLO WORLD"
    end

    I believe this is a good option as it seems to prevent the rack protection from adding the SAMEORIGIN header on this one route

    0 讨论(0)
 看不清?
提交回复
热议问题