How to Get Sinatra to Refrain from Adding the X-Frame-Options Header

  • Home
  • Languages
  • Ruby
  • How to Get Sinatra to Refrain from Adding the X-Frame-Options Header

How do I get Sinatra to refrain from adding the X-Frame-Options header?

Sinatra uses Rack::Protection, in particular the frame_options option, which is what is setting the X-Frame-Options header.

You can configure which protections are used. Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn't enable some by default).

To prevent sending the X-Frame-Options header you need to disable frame_options like this:

set :protection, :except => :frame_options

ASP.Net Core: X-Frame-Options strange behavior

I would say on the first request Antiforgery saves the cookie which means it also tries to set the X-Frame-Options header.

If you want to disable that header in Antiforgery and manually handle it yourself, what you want is setting SuppressXFrameOptionsHeader to be true ;)

services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);

How to override X-Frame-Options for a controller or action in Rails 4

If you want to remove the header completely, you can create an after_action filter:

class FilesController < ApplicationController
  after_action :allow_iframe, only: :embed

  def embed
  end

private

  def allow_iframe
    response.headers.except! 'X-Frame-Options'
  end
end

Or, of course, you can code the after_action to set the value to something different:

class FacebookController < ApplicationController
  after_action :allow_facebook_iframe

private

  def allow_facebook_iframe
    response.headers['X-Frame-Options'] = 'ALLOW-FROM https://apps.facebook.com'
  end
end

Note that you need to clear your cache in certain browsers (Chrome for me) while debugging this.

Sinatra not sending headers

It was not CORS that was the problem. But my crappy jquery implementation. So make sure you don't copy it!

Disabling CORS in Dashing

Since dashing uses Sinatra you can find the answer in Sinatra's Docs. I was able to accomplish this by adding the following to the config.ru file located in your dashing directory:

configure do
  set :protection, :except => :frame_options

Additional reference: How do I get Sinatra to refrain from adding the X-Frame-Options header?

How to access *incoming* headers in Sinatra?

Have you tried adding HTTP to the header name? So it would be request.env["HTTP_ MyHeader"] This is part of the rack spec.


Related Topics

Problems Installing Ruby on Mountain Lion - Ruby 1.9.3 Wont' Compile

Rails Gem Rails3-Jquery-Autocomplete How to Scope by User

Ruby 1.9 + Sinatra Incompatible Character Encodings: Ascii-8Bit and Utf-8

Does Ruby Provide a Way to Do File.Read() with Specified Encoding

Keep Form Fields Filled After an Error (Ror)

Has_Many :Through with Counter_Cache

In 'Require': No Such File to Load -- Iconv (Loaderror)

Double-Splat Operator Destructively Modifies Hash - Is This a Ruby Bug

Node.Js Not Found by Rails/Execjs

Groupingerror: Error: Column " " Must Appear in the Group by Clause or Be Used in an Aggregate Function

Changing Table Name at Query Run Time in a Rails Application

Weird Imoperfection in Ruby Blocks

Trying to Set Up Postgres for Ror App, Getting Error - Fe_Sendauth: No Password Supplied

Is There Equivalent for PHP's Print_R in Ruby/Rails

How to Combine Overlapping Time Ranges (Time Ranges Union)

Devise - How to Change Setting So That Email Addresses Don't Need to Be Unique

Gem Install Error (Sass Compass)

When I Ran 'Bundle Exec Rake Test:Prepare' It Errored Out, But 'Bundle Exec Rake Db:Test:Prepare' Goes Through Fine with Warning. What's Going On


Leave a reply



Submit