如何在Rails 4中覆盖控制器或操作的X-Frame-Options [英] How to override X-Frame-Options for a controller or action in Rails 4
问题描述
Rails 4似乎为 X-Frame-Options
HTTP响应标头设置了默认值 SAMEORIGIN
。这是非常的安全性,但它不允许您的应用程序部分在其他域上的 iframe
中提供。
Rails 4 appears to set a default value of SAMEORIGIN
for the X-Frame-Options
HTTP response header. This is great for security, but it does not allow for parts of your app to be available in an iframe
on a different domain.
您可以使用 config.action_dispatch.default_headers全局覆盖
设置: X-Frame-Options
的值
You can override the value of X-Frame-Options
globally using the config.action_dispatch.default_headers
setting:
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://apps.facebook.com"
但是如何覆盖它只是为了单个控制器或操作?
But how do you override it for just a single controller or action?
推荐答案
如果要完全删除标题,可以创建 after_action
filter:
If you want to remove the header completely, you can create an after_action
filter:
class FilesController < ApplicationController
after_action :allow_iframe, only: :embed
def embed
end
private
def allow_iframe
response.headers.except! 'X-Frame-Options'
end
end
当然,您可以编码 after_action
将值设置为不同的值:
Or, of course, you can code the after_action
to set the value to something different:
class FacebookController < ApplicationController
after_action :allow_facebook_iframe
private
def allow_facebook_iframe
response.headers['X-Frame-Options'] = 'ALLOW-FROM https://apps.facebook.com'
end
end
请注意需要在调试时清除某些浏览器中的缓存(Chrome for me)。
Note that you need to clear your cache in certain browsers (Chrome for me) while debugging this.
这篇关于如何在Rails 4中覆盖控制器或操作的X-Frame-Options的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!