問題:
Rails 4 appears to set a default value of SAMEORIGIN for the X-Frame-Options HTTP response header. Rails 4 似乎爲X-Frame-Options HTTP 響應標頭設置了默認值SAMEORIGIN 。 This is great for security, but it does not allow for parts of your app to be available in an iframe on a different domain.這對於安全來說非常有用,但它不允許您的應用程序的某些部分在不同域的iframe可用。
You can override the value of X-Frame-Options globally using the config.action_dispatch.default_headers setting:您可以使用config.action_dispatch.default_headers設置全局覆蓋X-Frame-Options的值:
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://apps.facebook.com"
But how do you override it for just a single controller or action?但是,您如何僅針對單個控制器或操作覆蓋它?