Class: Rack::Protection::FrameOptions
| Relationships & Source Files | |
| Super Chains via Extension / Inclusion / Inheritance | |
|
Class Chain:
self,
Base
|
|
|
Instance Chain:
self,
Base
|
|
| Inherits: |
Rack::Protection::Base
|
| Defined in: | rack-protection/lib/rack/protection/frame_options.rb |
Overview
- Prevented attack
Clickjacking
- Supported browsers
- Chrome 26 and later
- Edge 12 and later
- Safari 5.1 and later
- Mobile Safari 7 and later
- Firefox 4 and later
- Internet Explorer 8 and later
- See full details at https://caniuse.com/mdn-http_headers_content-security-policy_frame-ancestors
- More info
Sets X-Frame-Options header to tell the browser avoid embedding the page in a frame. Note that in modern browsers, the preferred approach is to use the frame-ancestors directive in your content security policy.
Notes:
- This middleware won't do anything for non-HTML responses.
- If your app sets X-Frame-Options header, this middleware will not override it.
Options
[:frame_options] Defines who should be allowed to embed the page in a frame. [:deny] forbid any embedding [:sameorigin] allow embedding from the same origin
The default is <tt>:sameorigin</tt>.
[Rack::Protection::Base options] options supported by Rack::Protection::Base may affect this middleware.
Example: Default behavior
# Embedding from same origin is allowed
use Rack::Protection::FrameOptions
Example: Deny embedding
# Embedding is not allowed
use Rack::Protection::FrameOptions, frame_options: :deny
Constant Summary
Base - Inherited
Class Method Summary
Base - Inherited
| .default_options | Used by subclasses to declare default values for options they require. |
| .default_reaction | Used by subclasses to declare default reaction when a request is rejected. |
| .new | |
Instance Attribute Summary
Instance Method Summary
Base - Inherited
| #accepts?, #call, #debug, #default_options, | |
| #default_reaction | Alias for Base#deny. |
| #deny | Deny the request. |
| #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, | |
| #report | When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false). |
| #safe?, #secure_compare, #session, #session?, #warn | |
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env)
[ GitHub ]# File 'rack-protection/lib/rack/protection/frame_options.rb', line 60
def call(env) status, headers, body = @app.call(env) headers['x-frame-options'] ||= if html? headers [status, headers, body] end
#frame_options
[ GitHub ]# File 'rack-protection/lib/rack/protection/frame_options.rb', line 52
def @frame_options ||= begin = [:] = [:].to_s.upcase unless .respond_to? :to_str .to_str end end