How do I get Sinatra to refrain from adding the X-

2019-01-16 18:53发布

问题:

I am using Sinatra to return some IFRAME contents, and I'd like to allow cross-domain src. Unfortunately, Sinatra is automatically adding an X-Frame-Options header to my response. How do I turn that off?

回答1:

Sinatra uses Rack::Protection, in particular the frame_options option, which is what is setting the X-Frame-Options header.

You can configure which protections are used. Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn't enable some by default).

To prevent sending the X-Frame-Options header you need to disable frame_options like this:

set :protection, :except => :frame_options


回答2:

Another solution, and the one I ended up with in production, involves monkey-patching Rack::Protection::FrameOptions:

# This monkeypatch is needed to ensure the X-Frame-Options header is
# never set by rack-protection.
module Rack
  module Protection
    class FrameOptions < Base
      def call(env)
        status, headers, body = @app.call(env)
        [status, headers, body]
      end
    end
  end
end


回答3:

Neither of the options presented here worked for my sinatra app. I ended up adding an after filter to modify the X-Frame-Options header to allow the app to be framed in by Facebook.

after do
  headers({ 'X-Frame-Options' => 'ALLOW-FROM apps.facebook.com' })
end


回答4:

The "set :protection, :except => :frame_options" answer did not work for me, using Sinatra-1.3.3

I had to hack a solution; I put this mutha in my config.ru file. Obvs you can change the header to be anything you want.

config.ru

class Rack::Protection::FrameOptions
  def header
    @header ||= {}
  end
end


回答5:

I think I found a good way to handle this but would welcome feedback

The goal is to disable the X-Frame-Options just for one route to keep all the rack protection benefits:

    app.get'/hello_world' do
      headers({ 'X-Frame-Options' => '' })
      "HELLO WORLD"
    end

I believe this is a good option as it seems to prevent the rack protection from adding the SAMEORIGIN header on this one route



回答6:

Actually, the solution given by @matt is still working with Sinatra v1.4.5.

Yes, Sinatra is using Rack::Protection and according to Configuring attack protection

you could either disable protection at all (which is not recommended):

disable :protection

or only disable frame_options:

set :protection, :except => :frame_options

Other than that, if your problem is not because of X-Frame-Options, it may be Access-Control-Allow-Origin, then what you have to do is to add below line to your route before the return statement:

response['Access-Control-Allow-Origin'] = 'http://www.example.com/'