I am developing a rails application that clients can embed on their sites using iframes. I am looking for a way to allow only my clients to embed the app. I am familiar with the x-frame options, ie:
response.headers["X-Frame-Options"] = "ALLOW-FROM http://www.example.com"
(from X-Frame-Options ALLOW-FROM a specific site allows from all )
Is there a way to allow a number of sites?
ok, Octopus-Paul put me on the right track. I resolved this with the following code in application.rb:
config.action_dispatch.default_headers = {
referer = request.headers['Referer']
site = 'http://www.example.com'
if (referer =~ Regexp.new "\\A#{site}")
'X-Frame-Options' => 'ALLOWALL'
else
'X-Frame-Options' => 'SAMEORIGIN'
end
}
now i just need to scan a list of allowed sites using this code, and i'm done, i guess.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.