Cannot display my rails 4 app in iframe even if 'X-Frame-Options' is 'ALLOWALL'

Question

I am trying to test a responsive design. I am using Rails 4. I know it sets \'X-Frame-Options\' to SAME ORIGIN. So I overrided it in development.rb using

co         


        

Answer 1

I had the same problem as you, and searched for a solution to this problem all night.

I finally found out why it happens. It's because of the Chrome cache.

You can see the header['X-Frame-Options'] is ALLOWALL but it doesn't work.

Just try to open a "New Incognito Window" and go the same page and it works!

This problem only happened in development mode in my test. It worked fine in production mode.

Answer 2

Rails 4 added a default X-Frame-Options HTTP header value of SAMEORIGIN. This is good for security, but when you do want your action to be called in an iframe, you can do this:

---

To Allow all Origins:

class MyController < ApplicationController
  def iframe_action
    response.headers.delete "X-Frame-Options"
    render_something
  end
end

To Allow a Specific Origin:

class MyController < ApplicationController
  def iframe_action
    response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://some-origin.com"
    render_something
  end
end

---

Use :after_filter

When you need to use more than one of your action in an iframe, it's a good idea to make a method and call it with :after_filter:

class ApplicationController < ActionController::Base

  private
  def allow_iframe
    response.headers.delete "X-Frame-Options"
  end
end

Use it in your controllers like this:

class MyController < ApplicationController
  after_filter :allow_iframe, only: [:basic_embed, :awesome_embed]

  def basic_embed
      render_something
  end

  def awesome_embed
      render_something
  end

  # Other Actions...
end

---

Do a Hard-Refresh in your browser, or use another browser to view changes

Via: Rails 4: let specific actions be embedded as iframes