0

I own a website where people create things and embed it on their website. Let's call it "mysite.com".

A user can create a page like "mysite.com/1" and embed it on their website, "acceptable.com". How can I prevent some other site like "forbidden.com" from being able to display "mysite.com/1" in an iframe?

tl;dr How can I make a "whitelist" for sites trying to iframe my own site?

Don P
  • 60,113
  • 114
  • 300
  • 432

1 Answers1

2

In general, you can send an X-Frame-Options header with your server response that provides for the following options:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

To do this in rails, you can set (source) for all pages

config.action_dispatch.default_headers.merge!({'X-Frame-Options' => '[OPTION HERE]'})

or for only certain pages, see How to override X-Frame-Options for a controller or action in Rails 4

Community
  • 1
  • 1
arcyqwerty
  • 10,325
  • 4
  • 47
  • 84