Ruby on rails 4 应用程序在 iframe 中不起作用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16561066/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Ruby on rails 4 app does not work in iframe
提问by Oleg Pasko
How can I embed my rails app into another website via iframe?
如何通过 iframe 将我的 rails 应用程序嵌入到另一个网站?
It works nicely with RoR 3, but not with RoR 4:
它适用于 RoR 3,但不适用于 RoR 4:
<iframe src="http://myrailsapp.com/" width="100%" height="50" id="rails_iframe">error!</iframe>
I tried to use verify_authenticity_tokenand protect_from_forgeryoptions in my controller... seems it's something else (but I'm not sure).
我试图在我的控制器中使用verify_authenticity_token和protect_from_forgery选项......似乎是别的东西(但我不确定)。
upd. Example: http://jsfiddle.net/zP329/
更新。示例:http: //jsfiddle.net/zP329/
回答by jcypret
This has to do with Rails 4 enabling additional security protocols by default: http://weblog.rubyonrails.org/2013/2/25/Rails-4-0-beta1/
这与 Rails 4 默认启用附加安全协议有关:http: //weblog.rubyonrails.org/2013/2/25/Rails-4-0-beta1/
The setting that breaks iFrames on remote sites is X-Frame-Options. By default, this is set to SAMEORIGIN, which prevents the content from being loading cross domain:
在远程站点上破坏 iFrame 的设置是 X-Frame-Options。默认情况下,它设置为 SAMEORIGIN,以防止内容跨域加载:
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'SAMEORIGIN'
}
You can read about the new default headers here: http://edgeguides.rubyonrails.org/security.html#default-headers
您可以在此处阅读有关新默认标头的信息:http: //edgeguides.rubyonrails.org/security.html#default-headers
In order to allow the iFrame to work cross domain, you can change the default headers to allow X-Frame across domain.
为了允许 iFrame 跨域工作,您可以更改默认标头以允许 X-Frame 跨域。
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'ALLOWALL'
}
回答by Sheharyar
Rails 4addeda default X-Frame-OptionsHTTP header value of SAMEORIGIN. This is good for security, but when you dowant your actionto be called in an iframe, you can do this:
Rails 4添加了一个默认的X-Frame-OptionsHTTP 标头值SAMEORIGIN。这有利于安全,但是当您确实希望action在 an 中调用iframe您时,您可以这样做:
To Allow all Origins:
允许所有来源:
class MyController < ApplicationController
def iframe_action
response.headers.delete "X-Frame-Options"
render_something
end
end
To Allow a Specific Origin:
允许特定来源:
class MyController < ApplicationController
def iframe_action
response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://some-origin.com"
render_something
end
end
Use :after_filter
使用:after_filter
When you need to use more than one of your actionin an iframe, it's a good idea to make a method and call it with :after_filter:
当您需要使用多个actionin 时iframe,最好创建一个方法并使用:after_filter以下方法调用它:
class ApplicationController < ActionController::Base
private
def allow_iframe
response.headers.delete "X-Frame-Options"
end
end
Use it in your controllers like this:
在您的控制器中使用它,如下所示:
class MyController < ApplicationController
after_filter :allow_iframe, only: [:basic_embed, :awesome_embed]
def basic_embed
render_something
end
def awesome_embed
render_something
end
# Other Actions...
end
回答by Evgeny Danilov
I'm working with Rails 6 and Chromium 76. Previous solution with X-Frame-Options is not working. But I've noticed that it works very well when we attach online iframe with JS. So, I just made this simple solution in my view:
我正在使用 Rails 6 和 Chromium 76。以前的 X-Frame-Options 解决方案不起作用。但是我注意到当我们用 JS 附加在线 iframe 时它工作得很好。所以,在我看来,我只是做了这个简单的解决方案:
<div id='iframe_wrapper' 'data-iframe-content'='<iframe src="https://host.com/"></iframe>'>
</div>
...and add JS code like this:
...并添加这样的JS代码:
$(document).ready(function() {
var wrapper = $('#iframe_wrapper')[0]
wrapper.innerHTML = wrapper.attributes['data-iframe-content'].value
})
