How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?

About

Asked 4/11, 2014 at 21:57 Answered 17/5, 2016 at 18:6

ruby-on-rails iframe ruby-on-rails-4 http-headers x-frame-options

In a Ruby on Rails 4 application I'm working on, I need to make a page that will be pulled into an iframe hosted on the foo.bar.com server, so I have this controller method:

def iframed_page
  response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://foo.bar.com"
end

..and now it turns out that the client wants me to also whitelist http://foo.dev.bar.com as well.

I know that for setting X-FRAME-OPTIONS, the "ALLOW-FROM" option doesn't allow for multiple subdomains. But since this is the same root domain with different subdomains, would it be a little more flexible? For example, could I do something like

response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://*.bar.com"

as well?

Curriery answered 4/11, 2014 at 21:57 Comment(4)

possible duplicate of X-Frame-Options Allow-From multiple domains – Rask 4/11, 2014 at 22:14

I read that question, thank you very much. It doesn't explain anything about Ruby on Rails, or what to do if you have two different subdomains of the same root domain. – Curriery 4/11, 2014 at 22:22

I'm not trying to be argumentative when I say: your question isn't really Rails-specific, and the question/answer linked above does provide information on a wildcard prefix using Content-Security-Policy. Regardless, it seems X-FRAME-OPTIONS may not be the most forward-looking choice. – Rask 4/11, 2014 at 22:27

The question linked above makes it clear that Content-Security-Policy doesn't work in all browsers and that the relevant directive frame-ancestors only works in Chrome and Firefox. Also that answer's statements about X-FRAME-OPTIONS are out of date as well. – Proctor 4/12, 2015 at 17:44

You can use the Content-Security-Policy header instead, but it doesn't work on everything.

response.headers["X-Content-Security-Policy"] = "frame-ancestors http://*.bar.com";
response.headers["Content-Security-Policy"] = "frame-ancestors http://*.bar.com";

Content-Security-Policy will override X-Frame-Options on modern browsers
X-Content-Security-Policy will override X-Frame-Options on IE11

Pheasant answered 17/5, 2016 at 18:6 Comment(4)

frame-ancestors is part of CSP version 2, which is currently not supported in Internet Explorer or Edge. – Aisne 20/7, 2016 at 11:53

Note that frame-ancestors will not take priority in firefox, see this bug bugzilla.mozilla.org/show_bug.cgi?id=1024557 and upvote it to try get this fixed. – Samale 21/2, 2017 at 22:8

Per developer.mozilla.org/en-US/docs/Web/HTTP/CSP: "sometimes you will see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore" – Outclass 23/5, 2017 at 18:39

Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers. - source: content-security-policy.com – Inveteracy 3/4, 2020 at 10:16

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags