<meta http-equiv="X-Frame-Options" content="GOFORIT">
例如:
<!DOCTYPE html>
<html>
<head>
<title>电子病历系统</title>
<%= stylesheet_link_tag "application", media: "all", "data-turbolinks-track" => true %>
<%= javascript_include_tag "application", "data-turbolinks-track" => true %>
<meta http-equiv="X-Frame-Options" content="GOFORIT">
<%= csrf_meta_tags %>
</head>
<body>
<%= yield %>
</body>
</html>
第二步:在controllers目录下的application_controller.rb添加:
protect_from_forgery with: :exception
before_filter :add_xframe
def add_xframe
headers['X-Frame-Options'] = 'GOFORIT'
end
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
before_filter :add_xframe
def add_xframe
headers['X-Frame-Options'] = 'GOFORIT'
end
end
这样浏览器会报如下警告信息:
'Invalid 'X-Frame-Options' header encountered when loading....GOFORIT' is not a recognized directive. The header will be ignored.
即把‘GOFORIT’换成‘ALLOWALL’就ok了