openstreetmap/copyright barred from loading in a frame
Tom Hughes
tom at compton.nu
Sat Feb 14 15:28:27 UTC 2015
On 14/02/15 15:23, Ian Dees wrote:
> Tom, I think the secret is that he wants you to click the
> "OpenStreetMap" link on that page. It's supposed to load inside the
> iframe but doesn't.
Yes I understand that, but didn't see how it was going to help me.
> Chrome tells me:
> "Refused to display 'http://www.openstreetmap.org/copyright' in a frame
> because it set 'X-Frame-Options' to 'SAMEORIGIN'."
Well if he had quoted that full error we wouldn't have had to round in
circles...
> Sure enough, it looks like the X-Frame-Options header from the rails app
> is set to "SAMEORIGIN", which the browser apparently uses as a signal to
> prevent it from loading.
Right. I think that is a default that rails sets.
There's probably no harm in relaxing that for the copyright page, if
that's possible of course, at least so long as it doesn't open a way for
the surrounding page to steal the cookie, but I think that is supposed
to be impossible.
Whether we want to encourage something as evil as frames is another
matter of course ;-)
Tom
--
Tom Hughes (tom at compton.nu)
http://compton.nu/
More information about the rails-dev
mailing list