How do I get Sinatra to refrain from adding the X-Frame-Options header?
Sinatra uses Rack::Protection, in particular the frame_options
option, which is what is setting the X-Frame-Options
header.
You can configure which protections are used. Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn't enable some by default).
To prevent sending the X-Frame-Options
header you need to disable frame_options
like this:
set :protection, :except => :frame_options
ASP.Net Core: X-Frame-Options strange behavior
I would say on the first request Antiforgery saves the cookie which means it also tries to set the X-Frame-Options
header.
If you want to disable that header in Antiforgery and manually handle it yourself, what you want is setting SuppressXFrameOptionsHeader
to be true ;)
services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);
How to override X-Frame-Options for a controller or action in Rails 4
If you want to remove the header completely, you can create an after_action
filter:
class FilesController < ApplicationController
after_action :allow_iframe, only: :embed
def embed
end
private
def allow_iframe
response.headers.except! 'X-Frame-Options'
end
end
Or, of course, you can code the after_action
to set the value to something different:
class FacebookController < ApplicationController
after_action :allow_facebook_iframe
private
def allow_facebook_iframe
response.headers['X-Frame-Options'] = 'ALLOW-FROM https://apps.facebook.com'
end
end
Note that you need to clear your cache in certain browsers (Chrome for me) while debugging this.
Sinatra not sending headers
It was not CORS that was the problem. But my crappy jquery implementation. So make sure you don't copy it!
Disabling CORS in Dashing
Since dashing uses Sinatra you can find the answer in Sinatra's Docs. I was able to accomplish this by adding the following to the config.ru
file located in your dashing directory:
configure do
set :protection, :except => :frame_options
Additional reference: How do I get Sinatra to refrain from adding the X-Frame-Options header?
How to access *incoming* headers in Sinatra?
Have you tried adding HTTP to the header name? So it would be request.env["HTTP_ MyHeader"]
This is part of the rack spec.
Related Topics
Problems Installing Ruby on Mountain Lion - Ruby 1.9.3 Wont' Compile
Rails Gem Rails3-Jquery-Autocomplete How to Scope by User
Ruby 1.9 + Sinatra Incompatible Character Encodings: Ascii-8Bit and Utf-8
Does Ruby Provide a Way to Do File.Read() with Specified Encoding
Keep Form Fields Filled After an Error (Ror)
Has_Many :Through with Counter_Cache
In 'Require': No Such File to Load -- Iconv (Loaderror)
Double-Splat Operator Destructively Modifies Hash - Is This a Ruby Bug
Node.Js Not Found by Rails/Execjs
Changing Table Name at Query Run Time in a Rails Application
Weird Imoperfection in Ruby Blocks
Trying to Set Up Postgres for Ror App, Getting Error - Fe_Sendauth: No Password Supplied
Is There Equivalent for PHP's Print_R in Ruby/Rails
How to Combine Overlapping Time Ranges (Time Ranges Union)
Devise - How to Change Setting So That Email Addresses Don't Need to Be Unique