X-Frame-Options ALLOW-FROM a specific site allows

2020-08-13 02:12发布

I'm using a rails application to serve a page from abc.com. In it, I set the response headers in my application controller (for every request through before_filter) so that it can be accessed through an iframe only from a specific site (xyz.com), through the following code:

def set_x_frame_options
  response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.xyz.com"
end

The problem is, not only am I able to access the page from abc.com on xyz but also on any other website. I want to limit the access to only xyz.com. When I examine the response headers in chrome console I can see the X-Frame-Options is being passed on correctly. This is happening across all browsers. Am I missing something?

1条回答
放荡不羁爱自由
2楼-- · 2020-08-13 02:44

For those looking for a definitive answer: it's not implemented in webkit, but does work in Firefox reportedly as of version 18.0. The following ruby syntax works for me in Firefox 20.0 on OSX:

response.headers["X-Frame-Options"] = "Allow-From http://www.website.com"
查看更多
登录 后发表回答