問題:
Rails 4 appears to set a default value of SAMEORIGIN
for the X-Frame-Options
HTTP response header. Rails 4 似乎爲X-Frame-Options
HTTP 響應標頭設置了默認值SAMEORIGIN
。 This is great for security, but it does not allow for parts of your app to be available in an iframe
on a different domain.這對於安全來說非常有用,但它不允許您的應用程序的某些部分在不同域的iframe
可用。
You can override the value of X-Frame-Options
globally using the config.action_dispatch.default_headers
setting:您可以使用config.action_dispatch.default_headers
設置全局覆蓋X-Frame-Options
的值:
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://apps.facebook.com"
But how do you override it for just a single controller or action?但是,您如何僅針對單個控制器或操作覆蓋它?