Security guide suggests using invalid value for x-frame-options header

Skip to first unread message

Jul 28, 2016, 3:58:04 PM7/28/16
to Ruby on Rails: Documentation
In the Default Headers section of the security guide, is suggests using ALLOWALL for the x-frame-options header:

X-Frame-Options: 'SAMEORIGIN' in Rails by default - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.

According the discussion here points out, ALLOWALL is ignored by most browsers, and the correct way to get the expected behavior is to NOT set the header. Moreover, it's not a valid value according RFC 7034:

There are three different values for the header field.  These values
are mutually exclusive; that is, the header field MUST be set to
exactly one of the three values.

The valid values are: DENY, SAMEORIGIN, ALLOW-FROM.

So my question is: is there any reason to NOT update the doc? I'm happy to do it, I just wanted to verify first that there wasn't some explanation for why it should be left as-is.

This electronic message and its accompanying attachments (if any) contain information from Vestorly, Inc. that is confidential. The information is intended to be for the use of the individual(s) identified above. If you are not the intended recipient, be aware that any disclosure, copying, distribution, or use of the contents of this information is prohibited. If you have received this message in error, please notify the original sender immediately.

Reply all
Reply to author
0 new messages