Configuring response headers in Rails 4 app deployed to Heroku

Question

I would like to make available a view of my Rails application via iFrame from any domain.

In Rails 4, there is a protection against X-Frame from other domains, as explained here: http://edgeguides.rubyonrails.org/security.html#default-headers

So, the solution would be to put this in application.rb:

config.action_dispatch.default_headers = {
  'X-Frame-Options' => 'ALLOWALL'
}

This works nicely, both in my local server and in Heroku. But leaves all the views of the web application exposed to be called with an iframe from any domain.

And I would want to expose only the iframe view. So, instead of the previous solution, I tried configuring the header only within the controllet that I use to generate the iframe view:

def iframe
  response.headers["X-Frame-Options"] = "ALLOWALL"

...

end

And it works well in my local server. But it does not work when I upload it to Heroku.

Any idea why the second solution does not work in Heroku?

Thank you

See [this](http://stackoverflow.com/questions/18445782/how-to-override-x-frame-options-for-a-controller-or-action-in-rails-4) question. — manu29.d, May 13 '14 at 12:32
Thank you @manu29.d, the page you referred gave me the solution. I now use the method called with **after_action** and it works in Heroku as well. — idejuan, May 15 '14 at 08:34

score 2 · Answer 1 · edited May 23 '17 at 12:13

2

Taking a hint from this answer, you might want to set your headers in an after_action callback:

after_action :allow_iframe, only: :iframe

def iframe
  #your code
end

private

def allow_iframe
  response.headers['X-Frame-Options'] = "ALLOWALL"
end

after_action

edited May 23 '17 at 12:13

Community

1
1

answered May 15 '14 at 09:03

manu29.d

1,538
1
11
15

Configuring response headers in Rails 4 app deployed to Heroku

1 Answers1