Rails 4 appears to set a default value of SAMEORIGIN for the X-Frame-Options HTTP response header. This is great for security, but it does not allow for parts of your app to be available in an iframe on a different domain.
You can override the value of X-Frame-Options globally using the config.action_dispatch.default_headers setting:
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://apps.facebook.com"
But how do you override it for just a single controller or action?
If you want to remove the header completely, you can create an after_action filter:
class FilesController < ApplicationController
after_action :allow_iframe, only: :embed
def embed
end
private
def allow_iframe
response.headers.except! 'X-Frame-Options'
end
end
Or, of course, you can code the after_action to set the value to something different:
class FacebookController < ApplicationController
after_action :allow_facebook_iframe
private
def allow_facebook_iframe
response.headers['X-Frame-Options'] = 'ALLOW-FROM https://apps.facebook.com'
end
end
Note that you need to clear your cache in certain browsers (Chrome for me) while debugging this.