4

I have a page up and running, (https://blooming-wind-8528.herokuapp.com/) using the following code:

App.rb contains:

require 'rubygems'
require 'sinatra'
require 'open-uri'
require 'json'

#show page
get "/" do
  profile = open("https://graph.facebook.com/me?access_token=#full_access_code_here_removed_for_stackoverflow#").read
  profile = JSON.parse(profile)
  @language = profile['locale'][0..1]

  erb :nofan
end

#redirect for facebook
post "/" do
  redirect "/"
end

views/nofan.erb contains:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Stestie</title>
    <meta property="og:title" content="No Fan"/>
    <meta property="og:type" content="website"/>
    <meta property="og:url" content="https://blooming-wind-8528.herokuapp.com/"/>
    <meta property="og:image" content="https://blooming-wind-8528.herokuapp.com/images/marker_s.png"/>
    <meta property="og:site_name" content="NO fan"/>
    <meta property="fb:app_id" content="293597294002599" />
    </head>

  <body>
        <p>App running in language: <%= @language %></p>
    </body>
</html>

Now, the weird thing: In the browser it loads perfectly. However, on facebook it's not working. I get a blank screen. However, when I invoke an error code (for example: changing the access token to something wrong), I get a full fledged sinatra error page inside the iframe...

Does anybody know what I'm doing wrong?

Thx!

Maurice Kroon
  • 959
  • 4
  • 13
  • 29
  • 5
    Looks like you need to disable the X-Frame-Options header, Have a look at this question: http://stackoverflow.com/questions/7840613/how-do-i-get-sinatra-to-refrain-from-adding-the-x-frame-options-header and try out the solution in my answer there. – matt Oct 21 '11 at 16:18

1 Answers1

13

Sinatra tries to avoid a click-jacking attack.

Add this line:

set :protection, :except => :frame_options

or this line:

disable :protection

to you application.

Konstantin Haase
  • 25,687
  • 2
  • 57
  • 59