X-Frame-Options ALLOW-FROM a specific site allows from all

ruby-on-rails google-chrome iframe http-headers x-frame-options
Swamy g picture Swamy g · Jul 17, 2012 · Viewed 7.9k times · Source

I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end

The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?

Answer

Michael Lawrie picture Michael Lawrie · Jun 11, 2013

For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:

response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"

Related questions

Getting error: Peer authentication failed for user "postgres", when trying to get pgsql working with rails

I'm getting the error: FATAL: Peer authentication failed for user "postgres" when I try to make postgres work with Rails. Here's my pg_hba.conf, my database.yml, and a dump of the full trace. I changed authentication to md5 …

Read More
How to get a random number in Ruby

How do I generate a random number between 0 and n?

Read More
Rails: How can I rename a database column in a Ruby on Rails migration?

I wrongly named a column hased_password instead of hashed_password. How do I update the database schema, using migration to rename this column?

Read More