Ruby on rails 4 app在iframe中不起作用 [英] Ruby on rails 4 app does not work in iframe
问题描述
如何通过iframe将我的rails应用程序嵌入到另一个网站?
How can I embed my rails app into another website via iframe?
它与RoR 3很好地配合,但不适用于RoR 4:
It works nicely with RoR 3, but not with RoR 4:
<iframe src="http://myrailsapp.com/" width="100%" height="50" id="rails_iframe">error!</iframe>
我试图使用 verify_authenticity_token
和 protect_from_forgery
我的控制器中的选项...似乎是别的(但我不确定)。
I tried to use verify_authenticity_token
and protect_from_forgery
options in my controller... seems it's something else (but I'm not sure).
upd。示例:
http://jsfiddle.net/zP329/
推荐答案
这与Rails 4默认启用其他安全协议有关: http://weblog.rubyonrails.org/2013/2/25/Rails-4-0-beta1/
This has to do with Rails 4 enabling additional security protocols by default: http://weblog.rubyonrails.org/2013/2/25/Rails-4-0-beta1/
在远程站点上破坏iFrame的设置是X-Frame-Options。默认情况下,此设置为SAMEORIGIN,可防止内容加载跨域:
The setting that breaks iFrames on remote sites is X-Frame-Options. By default, this is set to SAMEORIGIN, which prevents the content from being loading cross domain:
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'SAMEORIGIN'
}
您可以在此处阅读有关新默认标题的信息:
http://edgeguides.rubyonrails.org/security.html#default-headers
You can read about the new default headers here: http://edgeguides.rubyonrails.org/security.html#default-headers
为了允许iFrame跨域工作,您可以更改默认标头以允许跨域使用X-Frame。
In order to allow the iFrame to work cross domain, you can change the default headers to allow X-Frame across domain.
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'ALLOWALL'
}
这篇关于Ruby on rails 4 app在iframe中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!