Search code examples
corsdashing

Disabling CORS in Dashing


I have a dashing instance running on server1, and a webserver (server2) from which I would like to serve dashing dashboards in an iframe depending on their selections.

Using the native URL, I get the following:
Refused to display 'http://server1:3030/dashboard1' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

I have tried placing Dashing behind a local Apache reverse proxy on server1 and set the headers to allow. The remote Apache server (server2) then call the reverse proxy, but Chrome dev tools still say it is denied.
Refused to display 'http://server1/dashboard1' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

This is with the reverse proxy Apache set with the following headers:

  Header set Access-Control-Allow-Origin "*"
  Header set Access-Control-Allow-Methods "GET, OPTIONS, POST"
  Header set Access-Control-Allow-Headers "origin, authorization, accept"

Not really knowing how thin works or how to set its headers, I am now a little stumped. I even tried adding allow via the http-equiv meta tags in layout.erb, with no success.


Solution

  • Since dashing uses Sinatra you can find the answer in Sinatra's Docs. I was able to accomplish this by adding the following to the config.ru file located in your dashing directory:

    configure do
      set :protection, :except => :frame_options
    

    Additional reference: How do I get Sinatra to refrain from adding the X-Frame-Options header?