class Rack::Protection::FrameOptions
- to allow embedding from the same origin (default).
frame. Use :deny to forbid any embedding, :sameorigin
frame_options - Defines who should be allowed to embed the page in a
Options:
in a frame.
Sets X-Frame-Options header to tell the browser avoid embedding the page
More infos - developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header<br>Safari 4.0, Chrome 4.1.249.1042 and later
Supported browsers - Internet Explorer 8, Firefox 3.6.9, Opera 10.50,
Prevented attack -
Clickjacking
#
- Internet Explorer 8, Firefox 3.6.9, Opera 10.50,
- developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header<br>Safari 4.0, Chrome 4.1.249.1042 and later
- Defines who should be allowed to embed the page in a
def call(env)
def call(env) status, headers, body = @app.call(env) headers['X-Frame-Options'] ||= frame_options if html? headers [status, headers, body] end
def frame_options
def frame_options @frame_options ||= begin frame_options = options[:frame_options] frame_options = options[:frame_options].to_s.upcase unless frame_options.respond_to? :to_str frame_options.to_str end end