When logging is turned on you see the warning: attack prevented by Rack::Protection::HttpOrigin.
set :protection, :origin_whitelist => ['https://s-static.ak.facebook.com']
or
set :protection, :except => :http_options
When logging is turned on you see the warning: attack prevented by Rack::Protection::HttpOrigin.
set :protection, :origin_whitelist => ['https://s-static.ak.facebook.com']
or
set :protection, :except => :http_options
Sinatra is using Rack::Protection to defend your application against common, opportunistic attacks. One of those attacks is Clickjacking. The approach uses a new HTTP header, X-Frame-Options that is used to prevent framing DENY
, prevent framing by external sites SAMEORIGIN
or allow framing only by a specified site ALLOW-FROM origin
.
To fix it, simply turn off Clickjacking prevention.
set :protection, :except => :frame_options
Question: Wouldn't it be better to set X-Frame-Options
to only allow framing by a specified site. In this case, Facebook?