Login/Register
X-Frame-Options ALLOW-FROM a specific site allows from all
Asked Answered
ruby-on-railsgoogle-chromeiframehttp-headersx-frame-options
O

1

13

I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end

The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?

Orsini answered 16/7, 2012 at 23:55 Comment(4)
Perhaps related: groups.google.com/a/chromium.org/forum/?fromgroups#!topic/… .. what about FF/IE9, etc? That is, is it only [that version of] Chrome that is affected?Sofko
See also #10658935 "The problem is: it looks like sending ALLOW-FROM domain results in a no-op overall for the latest Firefox and Google Chrome [whatever version they were at the time]. IE8, at least, seems to be correctly implementing ALLOW-FROM." .. "Yet, the frame still displays content."Sofko
I did check those two links prior to posting here. Regarding the first link, I thought that was it, but I checked on Firefox and Safari and both seem to be allowing from all, so not sure if it's chrome specific.Orsini
Possible duplicate: <#10658935>.<br/> Or, quoting <a href="#10658935 answer</a>:<br/ >ALLOW-FROM is not supported in Chrome or Safari. See: developer.mozilla.org/en- US/docs/HTTP/X-Frame-Options By the way: I don't adding the Ruby on rails tag was a good idea. This is obviously not Ruby on rails failing.Ster
S
1

For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:

response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"
Sinistral answered 11/6, 2013 at 21:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.