修复的Rails实的OAuth X框选项SAMEORIGIN错误 [英] Fix Rails oauth facebook x-frame-options sameorigin error

问题描述

我不能为我的生活让我的Facebook应用程序的画布显示。 Chrome的控制台显示此错误，并没有在iframe中显示出来 - 这是空白的：

I can't for the life of me get my Facebook canvas app to display. Chrome console displays this error and nothing shows up inside the iframe - it's blank:

拒绝在该框架中显示http://mysite.dev/，因为它集X帧选项到SAMEORIGIN。

我使用的 Rails的4.0.0.rc1 的和的 omniauth Facebook的1.4.1 的，下面的 Railscast在Facebook上的身份验证的参考。我没有使用任何JavaScript的code，因为它是可选的，理想情况下，应用程序只能在Facebook进行访问。

I'm using Rails 4.0.0.rc1 and omniauth-facebook 1.4.1, following the Railscast on Facebook Authentication as a guide. I didn't use any of the Javascript code since it was optional and ideally the app should only be accessed within Facebook.

的routes.rb

  match 'auth/:provider/callback', to: 'sessions#create', via: [:get, :post]
  match 'auth/failure', to: redirect('/'), via: [:get, :post]
  match 'signout', to: 'sessions#destroy', as: 'signout', via: [:get, :post]

sessions_controller.rb

class SessionsController < ApplicationController

  def create
    user = User.from_omniauth(env["omniauth.auth"])
    session[:user_id] = user.id
    redirect_to root_url
  end

  def destroy
    session[:user_id] = nil
    redirect_to root_url
  end

application_controller.rb

我不得不注释掉它，因为我一直得到这花了我一天我的另一半InvalidAuthenticityToken错误。略偏上这里。

I had to comment this out because I kept getting InvalidAuthenticityToken errors which cost me the other half of my day. A bit more on that here.

  # protect_from_forgery with: :exception

Facebook的设置

• 应用领域： myapp.dev


• 画布网址： http://myapp.dev


• 安全帆布网址： - 空白 - 如果指定HTTPS，我得到的网页无法使用的

• App domain: myapp.dev
• Canvas URL: http://myapp.dev
• Secure Canvas URL: -- blank -- if https is specified, I get webpage is unavailable

请帮助之前，我开始翻桌。 ：）

Please help before I start flipping desks. :)

推荐答案

在轨道4，X-FRAME-OPTIONS设置为SAMEORIGIN的头，我猜prevents它在一个框架中加载，如在这个问题。一个人注意到这将导致困难的Facebook应用程序开发人员。

In Rails 4, X-FRAME-OPTIONS is set to SAMEORIGIN in the headers, which I guess prevents it from being loaded in a frame, as described in this issue. One person notes the difficulty this will cause Facebook app developers.

我设法通过添加下面来解决这个 application.rb中：

I managed to solve this by adding the following to application.rb:

config.action_dispatch.default_headers[:'X-Frame-Options'] = "ALLOW-FROM https://apps.facebook.com"

我也用转发来创建一个域，让Facebook的访问我的本地开发机器。我进入了画布的Facebook 和安全帆布本场域。强烈推荐。

I also used Forward to create a domain to allow Facebook to access my local development machine. I entered this domain in the canvas and secure canvas fields in Facebook. Highly recommended.

在这里进一步的信息：

• http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx


• https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

这篇关于修复的Rails实的OAuth X框选项SAMEORIGIN错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！