How do I get Sinatra to refrain from adding the X-Frame-Options header?
https://stackoverflow.com/questions/7840613
-
10-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using Sinatra to return some IFRAME contents, and I'd like to allow cross-domain src. Unfortunately, Sinatra is automatically adding an X-Frame-Options header to my response. How do I turn that off?
Solution
Sinatra uses Rack::Protection, in particular the frame_options option, which is what is setting the X-Frame-Options header.
You can configure which protections are used. Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn't enable some by default).
To prevent sending the X-Frame-Options header you need to disable frame_options like this:
set :protection, :except => :frame_options
OTHER TIPS
Another solution, and the one I ended up with in production, involves monkey-patching Rack::Protection::FrameOptions:
# This monkeypatch is needed to ensure the X-Frame-Options header is
# never set by rack-protection.
module Rack
module Protection
class FrameOptions < Base
def call(env)
status, headers, body = @app.call(env)
[status, headers, body]
end
end
end
end
Neither of the options presented here worked for my sinatra app. I ended up adding an after filter to modify the X-Frame-Options header to allow the app to be framed in by Facebook.
after do
headers({ 'X-Frame-Options' => 'ALLOW-FROM apps.facebook.com' })
end
I think I found a good way to handle this but would welcome feedback
The goal is to disable the X-Frame-Options just for one route to keep all the rack protection benefits:
app.get'/hello_world' do
headers({ 'X-Frame-Options' => '' })
"HELLO WORLD"
end
I believe this is a good option as it seems to prevent the rack protection from adding the SAMEORIGIN header on this one route
The "set :protection, :except => :frame_options" answer did not work for me, using Sinatra-1.3.3
I had to hack a solution; I put this mutha in my config.ru file. Obvs you can change the header to be anything you want.
config.ru
class Rack::Protection::FrameOptions
def header
@header ||= {}
end
end
Actually, the solution given by @matt is still working with Sinatra v1.4.5.
Yes, Sinatra is using Rack::Protection and according to Configuring attack protection
you could either disable protection at all (which is not recommended):
disable :protection
or only disable frame_options:
set :protection, :except => :frame_options
Other than that, if your problem is not because of X-Frame-Options, it may be Access-Control-Allow-Origin, then what you have to do is to add below line to your route before the return statement:
response['Access-Control-Allow-Origin'] = 'http://www.example.com/'
