If you want to remove the header completely, you can create an after_actionfilter:

如果要完全删除标题，可以创建一个after_action过滤器：

class FilesController < ApplicationController
  after_action :allow_iframe, only: :embed

  def embed
  end

private

  def allow_iframe
    response.headers.except! 'X-Frame-Options'
  end
end

Or, of course, you can code the after_actionto set the value to something different:

或者，当然，您可以编写代码after_action以将值设置为不同的值：

class FacebookController < ApplicationController
  after_action :allow_facebook_iframe

private

  def allow_facebook_iframe
    response.headers['X-Frame-Options'] = 'ALLOW-FROM https://apps.facebook.com'
  end
end

Note that you need to clear your cache in certain browsers (Chrome for me) while debugging this.

请注意，在调试时，您需要清除某些浏览器（对我来说是 Chrome）中的缓存。

I just wanted to include an updated answer here for anyone who finds this link when trying to figure out how to allow your Rails app to be embedded in an I-Frame and running into issues.

我只是想在这里为任何在尝试弄清楚如何允许您的 Rails 应用程序嵌入 I-Frame 并遇到问题时找到此链接的人提供更新的答案。

As of writing this, May 28th 2020, the X-Frame-Options changes are probably not your best solution to your problem. The "ALLOW-FROM" option has been totally disallowed by all major browsers.

在撰写本文时，即 2020 年 5 月 28 日，X-Frame-Options 更改可能不是您问题的最佳解决方案。“ALLOW-FROM”选项已被所有主要浏览器完全禁止。

The modern solution is to implement a Content-Security-Policy and set a 'frame_ancestors' policy. The 'frame_ancestors' key designates what domains can embed your app as an iframe. Its currently supported by major browsers and overrides your X-Frame-Options. This will allow you to prevent ClickHymaning (which the X-Frame-Options was originally intended to help with before it largely became deprecated) and lock down your app in a modern environment.

现代解决方案是实施 Content-Security-Policy 并设置“frame_ancestors”策略。'frame_ancestors' 键指定哪些域可以将您的应用程序嵌入为 iframe。它目前受主要浏览器支持并覆盖您的 X-Frame-Options。这将允许您防止点击劫持（X-Frame-Options 最初旨在帮助它在很大程度上被弃用之前提供帮助）并在现代环境中锁定您的应用程序。

You can set up a Content-Security-Policy with Rails 5.2 in an initializer (example below), and for Rails < 5.2 you can use a gem like the Secure Headers gem: https://github.com/github/secure_headers

您可以在初始化程序中使用 Rails 5.2 设置 Content-Security-Policy（以下示例），对于 Rails < 5.2，您可以使用像 Secure Headers gem 这样的 gem：https: //github.com/github/secure_headers

You can also override the policy specifications on a controller/action basis if you'd like.

如果您愿意，您还可以在控制器/操作的基础上覆盖策略规范。

Content-Security-Policies are great for advanced security protections. Check out all the things you can configure in the Rails docs: https://edgeguides.rubyonrails.org/security.html

内容安全策略非常适合高级安全保护。查看您可以在 Rails 文档中配置的所有内容：https: //edgeguides.rubyonrails.org/security.html

A Rails 5.2 example for a Content-Security-Policy:

内容安全策略的 Rails 5.2 示例：

# config/initializers/content_security_policy.rb    
    Rails.application.config.content_security_policy do |policy|
      policy.frame_ancestors :self, 'some_website_that_embeds_your_app.com'
    end

An example of a controller specific change to a policy:

控制器特定更改策略的示例：

# Override policy inline
class PostsController < ApplicationController
  content_security_policy do |p|
    p.frame_ancestors :self, 'some_other_website_that_can_embed_posts.com'
  end
end