I had the same problem as you, and searched for a solution to this problem all night.

我和你有同样的问题，整晚都在寻找解决这个问题的方法。

I finally found out why it happens. It's because of the Chrome cache.

我终于知道为什么会这样了。这是因为 Chrome 缓存。

You can see the header['X-Frame-Options']is ALLOWALLbut it doesn't work.

你可以看到header['X-Frame-Options']是，ALLOWALL但它不起作用。

Just try to open a "New Incognito Window" and go the same page and it works!

只需尝试打开“新的隐身窗口”并转到同一页面即可！

This problem only happened in development modein my test. It worked fine in production mode.

这个问题只发生在我测试的开发模式下。它在生产模式下运行良好。

Try just to delete this header 'X-Frame-Options'. Maybe this way in controller:

尝试删除此标题“X-Frame-Options”。也许在控制器中这样：

before_filter :allow_iframe_requests
...
def allow_iframe_requests
  response.headers.delete('X-Frame-Options')
end

Rails 4addeda default X-Frame-OptionsHTTP header value of SAMEORIGIN. This is good for security, but when you dowant your actionto be called in an iframe, you can do this:

Rails 4添加了一个默认的X-Frame-OptionsHTTP 标头值SAMEORIGIN。这有利于安全，但是当您确实希望action在 an 中调用iframe您时，您可以这样做：

To Allow all Origins:

允许所有来源：

class MyController < ApplicationController
  def iframe_action
    response.headers.delete "X-Frame-Options"
    render_something
  end
end

To Allow a Specific Origin:

允许特定来源：

class MyController < ApplicationController
  def iframe_action
    response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://some-origin.com"
    render_something
  end
end

Use :after_filter

使用：after_filter

When you need to use more than one of your actionin an iframe, it's a good idea to make a method and call it with :after_filter:

当您需要使用多个actionin 时iframe，最好创建一个方法并使用:after_filter以下方法调用它：

class ApplicationController < ActionController::Base

  private
  def allow_iframe
    response.headers.delete "X-Frame-Options"
  end
end

Use it in your controllers like this:

在您的控制器中使用它，如下所示：

class MyController < ApplicationController
  after_filter :allow_iframe, only: [:basic_embed, :awesome_embed]

  def basic_embed
      render_something
  end

  def awesome_embed
      render_something
  end

  # Other Actions...
end

Do a Hard-Refresh in your browser, or use another browser to view changes

在浏览器中进行硬刷新，或使用其他浏览器查看更改

Via: Rails 4: let specific actions be embedded as iframes

通过：Rails 4：让特定动作嵌入为 iframe

When 'Load denied by X-Frame-Options' using Heroku & Firefox

使用 Heroku 和 Firefox 时“X-Frame-Options 拒绝加载”

I had a similar issue where I kept getting this error onlyon Firefox. I had a PHPweb page hosted @ MochaHostserving a Railsapp hosted @ Heroku(so RoR app has a page with an iframewhich is pointing to the PHPweb page and this working on all browsers except on Firefox).

我有一个类似的问题，我只在 Firefox 上一直收到这个错误。我有一个PHP由@ MochaHost托管的网页，为Rails@ Heroku托管的应用程序提供服务（因此 RoR 应用程序有一个iframe指向该PHP网页的页面，并且该页面可在除 Firefox 之外的所有浏览器上运行）。

I was able to solve the problem by setting a default header for all of my requests in the specific environment file:

我能够通过为特定环境文件中的所有请求设置默认标头来解决该问题：

# config/enviroments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOWALL' }

Edit(as sheharyarsuggested)

编辑（如sheharyar建议）

Ideally, you shouldn't set a default header and do this only for actions that have to be rendered in an iFrame. If your entire app is being served inside an iFrame, you should explicitly mention the Origin:

理想情况下，您不应设置默认标头，并且仅对必须在 iFrame 中呈现的操作执行此操作。如果您的整个应用程序都在 iFrame 内提供服务，您应该明确提及Origin：

# config/enviroments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOW-FROM http://some-origin.com' }

Try ALLOW-FROM http://example.cominstead? ALLOWALL might be ok in Chrome if you have a sufficiently new version of Chrome [2]

试试ALLOW-FROM http://example.com？如果您有足够新版本的 Chrome [2]，则 ALLOWALL 在 Chrome 中可能没问题

[1] https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

[1] https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

[2] https://stackoverflow.com/a/16101968/800526

[2] https://stackoverflow.com/a/16101968/800526

If you want to have this change take effect in all environments, place it in application.rb.

如果您希望此更改在所有环境中生效，请将其放在 application.rb 中。

I found another cause for this. Assuming the ALLOWALL or similar fix is implemented, the next gotcha is attempting to use http content in a https website which causes security risks and is blocked by mozilla, IE and probably other browsers. It took me 6 hours to identify this, hopefully by sharing I can reduce someones pain...

我找到了另一个原因。假设实施了 ALLOWALL 或类似的修复，下一个问题是尝试在 https 网站中使用 http 内容，这会导致安全风险并被 mozilla、IE 和其他浏览器阻止。我花了 6 个小时来确定这一点，希望通过分享我可以减轻某人的痛苦...

It can be checked by:

可以通过以下方式检查：

• using your browser web-tools which should display an error.
• web logs will lack any connection with your supplying site.
• replace your contents url with a banks https home page should demonstrate the iframe otherwise works.

• 使用应该显示错误的浏览器网络工具。
• 网络日志将与您的供应站点没有任何联系。
• 用银行 https 主页替换您的内容 url 应该证明 iframe 否则有效。

The solution is to ask the source if they have https content or find another supplier.

解决办法是询问来源是否有https内容或寻找其他供应商。

ref:

参考：

• https://developer.mozilla.org/en/docs/Security/MixedContent
• https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content

• https://developer.mozilla.org/en/docs/Security/MixedContent
• https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content

I just wanted to give an updated answer here on dealing with embedding a Rails app in an iframe.

我只是想在这里给出一个关于在 iframe 中嵌入 Rails 应用程序的更新答案。

Its not a great idea to simply delete X-Frame-Options headers without having some other kind of security enforced to prevent against ClickHymaning (which is the vulnerability X-Frame-Options is largely trying to protect you from).

简单地删除 X-Frame-Options 标头而不强制执行其他类型的安全措施来防止点击劫持（这是 X-Frame-Options 主要试图保护您免受攻击的漏洞）并不是一个好主意。

The problem is that the X-Frame-Options 'ALLOW-FROM' option is not accepted on most major browsers anymore.

问题是大多数主要浏览器不再接受 X-Frame-Options 'ALLOW-FROM' 选项。

As of writing this, May 28th 2020, the best solution for preventing ClickHymaning and hosting your app in an iframe is to implement a Content-Security-Policy and set a 'frame_ancestors' policy. The 'frame_ancestors' key designates what domains can embed your app as an iframe. Its currently supported by major browsers and overrides your X-Frame-Options.

在撰写本文时，即 2020 年 5 月 28 日，防止点击劫持和在 iframe 中托管您的应用程序的最佳解决方案是实施内容安全策略并设置“frame_ancestors”策略。'frame_ancestors' 键指定哪些域可以将您的应用程序嵌入为 iframe。它目前受主要浏览器支持并覆盖您的 X-Frame-Options。

You can set up a Content-Security-Policy with Rails 5.2 in an initializer (example below), and for Rails < 5.2 you can use a gem like the Secure Headers gem: https://github.com/github/secure_headers

您可以在初始化程序中使用 Rails 5.2 设置 Content-Security-Policy（以下示例），对于 Rails < 5.2，您可以使用像 Secure Headers gem 这样的 gem：https: //github.com/github/secure_headers

You can also override the policy specifications on a controller/action basis if you'd like.

如果您愿意，您还可以在控制器/操作的基础上覆盖策略规范。

Content-Security-Policies are great for advanced security protections. Check out all the things you can configure in the Rails docs: https://edgeguides.rubyonrails.org/security.html

内容安全策略非常适合高级安全保护。查看您可以在 Rails 文档中配置的所有内容：https: //edgeguides.rubyonrails.org/security.html

A Rails 5.2 example for a Content-Security-Policy:

内容安全策略的 Rails 5.2 示例：

# config/initializers/content_security_policy.rb    
Rails.application.config.content_security_policy do |policy|
  policy.frame_ancestors :self, 'some_website_that_embeds_your_app.com'
end

An example of a controller specific change to a policy:

控制器特定更改策略的示例：

# Override policy inline
class PostsController < ApplicationController
  content_security_policy do |p|
    p.frame_ancestors :self, 'some_other_website_that_can_embed_posts.com'
  end
end