Rails 4 added a default
X-Frame-Options HTTP header value of
SAMEORIGIN. This is good for security, because browsers use this header to decide whether or not your site can be
iframed by other sites.
However, sometimes you do want a particular action to be embeddable in another site. If you know the site which embeds the action, you can simply change the header to explicitly allow it:
class MyController < ApplicationController def my_embeddable_widget response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://example.com" render end end
If, instead, you want the action to be embeddable by any site on the web, just delete the header:
class MyController < ApplicationController def my_embeddable_widget response.headers.delete "X-Frame-Options" render end end
For a single controller action, inlining these changes makes sense. If you’re gonna allow multiple actions to be
iframed, you can put the logic in a method and call it from an
class ApplicationController < ActionController::Base private def allow_iframe response.headers.delete "X-Frame-Options" end end class MyController < ApplicationController after_filter :allow_iframe, only: :my_embeddable_widget def my_embeddable_widget render end end
You can get even fancier if you want, but in my experience YAGNI.