When logging is turned on you see the warning: attack prevented by Rack::Protection::HttpOrigin.
set :protection, :origin_whitelist => ['https://s-static.ak.facebook.com']
or
set :protection, :except => :http_options
Last active
August 17, 2018 20:10
-
-
Save dwayne/4724539 to your computer and use it in GitHub Desktop.
Things I've learnt while developing Facebook applications with Sinatra.
- Blank page.
- Error in Chrome: Refused to display document because display forbidden by X-Frame-Options.
Sinatra is using Rack::Protection to defend your application against common, opportunistic attacks. One of those attacks is Clickjacking. The approach uses a new HTTP header, X-Frame-Options that is used to prevent framing DENY, prevent framing by external sites SAMEORIGIN or allow framing only by a specified site ALLOW-FROM origin.
To fix it, simply turn off Clickjacking prevention.
set :protection, :except => :frame_options
Question: Wouldn't it be better to set X-Frame-Options to only allow framing by a specified site. In this case, Facebook?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment