Skip to content

Commit

Permalink
Enable pages to be used in iframes
Browse files Browse the repository at this point in the history 
See alphagov/manuals-frontend#123

Rails 4+ sets the X-Frame-Options header to SAMEORIGIN by default. This means
that the resource can only be put into an iframe on the same domain.

One problem this causes is that the side-by-side browser - which is a tool used
during transition - can't work correctly.

In the past we have decided that, with the exception of transaction start
pages, we want to allow content on GOV.UK to be iframed. Transaction start
pages are exceptional because we are particularly concerned about clickjacking
of the start button.
  • Loading branch information
@dsingleton
dsingleton authored and David Singleton committed Jun 30, 2015
1 parent 17ab4ac commit 89284b0
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions config/application.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,10 @@ class Application < Rails::Application
# config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
# config.i18n.default_locale = :de
config.assets.prefix = "/collections/"

# Override Rails 4 default which restricts framing to SAMEORIGIN.
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'ALLOWALL'
}
end
end

3 comments on commit 89284b0

@kravietz
Copy link

@kravietz kravietz commented on 89284b0 Jan 21, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might use X-Frame-Options: allow-from https://www.gov.uk (Reference) which should offer a reasonable compromise between the needs of transformation and resistance to clickjacking. Or use Content-Security-Policy: frame-ancestors ... with the same effect. This workaround was created in 2015 and it's now 2018 and www.gov.uk still sets it to allowall which, at best, looks unprofessional.

@dsingleton
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @kravietz,

Thanks for the comment. I didn't know about allow-from, neat 👍

You might want to post this as an issue on the repo, as i'm not sure anyone else but me would be notified about this comment (and I haven't worked at GDS for almost 2 years).

Cheers,
David

@kravietz
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dsingleton definitely will do!

Please sign in to comment.