发表新帖
发表新帖

Cannot display my rails 4 app in iframe even if 'X-Frame-Options' is 'ALLOWALL'

前端 未结
关注
8 1683
死守一世寂寞
死守一世寂寞 2020-12-13 04:38

I am trying to test a responsive design. I am using Rails 4. I know it sets \'X-Frame-Options\' to SAME ORIGIN. So I overrided it in development.rb using

co
相关标签:
8条回答
  • 感情败类
    2020-12-13 04:49

    When 'Load denied by X-Frame-Options' using Heroku & Firefox

    I had a similar issue where I kept getting this error only on Firefox. I had a PHP web page hosted @ MochaHost serving a Rails app hosted @ Heroku (so RoR app has a page with an iframe which is pointing to the PHP web page and this working on all browsers except on Firefox).

    I was able to solve the problem by setting a default header for all of my requests in the specific environment file:

    # config/enviroments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOWALL' }

    Edit (as sheharyar suggested)

    Ideally, you shouldn't set a default header and do this only for actions that have to be rendered in an iFrame. If your entire app is being served inside an iFrame, you should explicitly mention the Origin:

    # config/enviroments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOW-FROM http://some-origin.com' }
    0 讨论(0)
  • 别那么骄傲
    2020-12-13 04:57

    If you want to have this change take effect in all environments, place it in application.rb.

    0 讨论(0)
  • 春和景丽
    2020-12-13 05:04

    Try just to delete this header 'X-Frame-Options'. Maybe this way in controller:

    before_filter :allow_iframe_requests
...
def allow_iframe_requests
  response.headers.delete('X-Frame-Options')
end
    0 讨论(0)
  • 傲寒
    2020-12-13 05:07

    I found another cause for this. Assuming the ALLOWALL or similar fix is implemented, the next gotcha is attempting to use http content in a https website which causes security risks and is blocked by mozilla, IE and probably other browsers. It took me 6 hours to identify this, hopefully by sharing I can reduce someones pain...

    It can be checked by:

    • using your browser web-tools which should display an error.
    • web logs will lack any connection with your supplying site.
    • replace your contents url with a banks https home page should demonstrate the iframe otherwise works.

    The solution is to ask the source if they have https content or find another supplier.

    ref:

    • https://developer.mozilla.org/en/docs/Security/MixedContent
    • https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content
    0 讨论(0)
  • 谎友^
    2020-12-13 05:07

    I just wanted to give an updated answer here on dealing with embedding a Rails app in an iframe.

    Its not a great idea to simply delete X-Frame-Options headers without having some other kind of security enforced to prevent against Clickjacking (which is the vulnerability X-Frame-Options is largely trying to protect you from).

    The problem is that the X-Frame-Options 'ALLOW-FROM' option is not accepted on most major browsers anymore.

    As of writing this, May 28th 2020, the best solution for preventing Clickjacking and hosting your app in an iframe is to implement a Content-Security-Policy and set a 'frame_ancestors' policy. The 'frame_ancestors' key designates what domains can embed your app as an iframe. Its currently supported by major browsers and overrides your X-Frame-Options.

    You can set up a Content-Security-Policy with Rails 5.2 in an initializer (example below), and for Rails < 5.2 you can use a gem like the Secure Headers gem: https://github.com/github/secure_headers

    You can also override the policy specifications on a controller/action basis if you'd like.

    Content-Security-Policies are great for advanced security protections. Check out all the things you can configure in the Rails docs: https://edgeguides.rubyonrails.org/security.html

    A Rails 5.2 example for a Content-Security-Policy:

    # config/initializers/content_security_policy.rb    
Rails.application.config.content_security_policy do |policy|
  policy.frame_ancestors :self, 'some_website_that_embeds_your_app.com'
end

    An example of a controller specific change to a policy:

    # Override policy inline
class PostsController < ApplicationController
  content_security_policy do |p|
    p.frame_ancestors :self, 'some_other_website_that_can_embed_posts.com'
  end
end
    0 讨论(0)
  • 孤独总比滥情好
    2020-12-13 05:08

    Try ALLOW-FROM http://example.com instead? ALLOWALL might be ok in Chrome if you have a sufficiently new version of Chrome [2]

    [1] https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

    [2] https://stackoverflow.com/a/16101968/800526

    0 讨论(0)
 看不清?
提交回复
热议问题