Ruby on rails 4 app does not work in iframe

ruby-on-rails ruby-on-rails-3 iframe ruby-on-rails-4
Oleg Pasko picture Oleg Pasko · May 15, 2013 · Viewed 30k times · Source

How can I embed my rails app into another website via iframe?

It works nicely with RoR 3, but not with RoR 4:

<iframe src="http://myrailsapp.com/" width="100%" height="50" id="rails_iframe">error!</iframe>

I tried to use verify_authenticity_token and protect_from_forgery options in my controller... seems it's something else (but I'm not sure).

upd. Example: http://jsfiddle.net/zP329/

Answer

jcypret picture jcypret · May 18, 2013

This has to do with Rails 4 enabling additional security protocols by default: http://weblog.rubyonrails.org/2013/2/25/Rails-4-0-beta1/

The setting that breaks iFrames on remote sites is X-Frame-Options. By default, this is set to SAMEORIGIN, which prevents the content from being loading cross domain:

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'SAMEORIGIN'
}

You can read about the new default headers here: http://edgeguides.rubyonrails.org/security.html#default-headers

In order to allow the iFrame to work cross domain, you can change the default headers to allow X-Frame across domain.

config.action_dispatch.default_headers = {
    'X-Frame-Options' => 'ALLOWALL'
}

Related questions

How to get a random number in Ruby

How do I generate a random number between 0 and n?

Read More
Rails: How can I rename a database column in a Ruby on Rails migration?

I wrongly named a column hased_password instead of hashed_password. How do I update the database schema, using migration to rename this column?

Read More
How to remove a key from Hash and get the remaining hash in Ruby/Rails?

To add a new pair to Hash I do: {:a => 1, :b => 2}.merge!({:c => 3}) #=> {:a => 1, :b => 2, :c => 3} Is there a similar way to delete a key from Hash ? This works: {:a => 1, :b => 2}.…

Read More