Don't set 'same origin' policy for widget iframes.

Whilst this is a good security precaution in general, we want people to display these widgets in iframes on other sites.
author: Louise Crow <louise.crow@gmail.com> 2015-01-05 17:10:29 +0000
committer: Louise Crow <louise.crow@gmail.com> 2015-04-27 16:54:59 +0100
commit: d16b7e1f15e9c7abe3db986850f5e60ff186c271 (patch)
tree: 3a9c04c3f39080a6c729764ba5bef6ed60eec84b
parent: b849d9b7d0fd68d9bc72a4dd0725f2fbb2d6aa86 (diff)
2 files changed, 6 insertions, 0 deletions
diff --git a/app/controllers/widgets_controller.rb b/app/controllers/widgets_controller.rb
index 017d3a77f..a529e591b 100644
--- a/app/controllers/widgets_controller.rb
+++ b/app/controllers/widgets_controller.rb
@@ -9,6 +9,7 @@ require 'securerandom'
 class WidgetsController < ApplicationController
 
     before_filter :check_widget_config, :find_info_request
+    skip_before_filter :set_x_frame_options_header, :only => [:show]
 
     def show
         medium_cache
diff --git a/spec/controllers/widgets_controller_spec.rb b/spec/controllers/widgets_controller_spec.rb
index 28f6c1904..80c2d2f26 100644
--- a/spec/controllers/widgets_controller_spec.rb
+++ b/spec/controllers/widgets_controller_spec.rb
@@ -32,6 +32,11 @@ describe WidgetsController do
             assigns[:status].should == @info_request.calculate_status
         end
 
+        it 'should not send an x-frame-options header' do
+            get :show, :request_id => @info_request.id
+            response.headers["X-Frame-Options"].should be_nil
+        end
+
         context 'for a non-logged-in user' do
 
             context 'if no widget-vote cookie is set' do
author	Louise Crow <louise.crow@gmail.com>	2015-01-05 17:10:29 +0000
committer	Louise Crow <louise.crow@gmail.com>	2015-04-27 16:54:59 +0100
commit	d16b7e1f15e9c7abe3db986850f5e60ff186c271 (patch)
tree	3a9c04c3f39080a6c729764ba5bef6ed60eec84b
parent	b849d9b7d0fd68d9bc72a4dd0725f2fbb2d6aa86 (diff)