I work on Facebook (with the Koala gem) and finally have to deal with a user who has changed their password. Although this may not be the best interaction, my application catches the authentication change and provides the user with a click link to reauthorize. Clicking on the link gets to FB correctly, and redirection provides the expected auth_code. HOWEVER, a page set in response to an FB redirect returns with the X-Frame-Options set to DENY, as a result of which the user never sees the results of re-authentication.
I got lost as to why X-Frame-Options is set to DENY.
I tried setting the X-Frame-Options to SAMEORIGIN from a Rails application (3.2.6), adding the following line to the action:
response.headers['X-Frame-Options'] = 'SAMEORIGIN'
Bad luck.
I also tried setting the response headers through Apache. I tried installing the X-Frame-Header for the entire site, and also targeting specific URLs that might be affected. The current configuration looks like this (edited):
<VirtualHost *:443> ServerName xx.xx.com DocumentRoot /apps/fb-publisher/current/public PassengerRuby /home/ubuntu/.rvm/wrappers/ ruby-1.9.2-p290@rails3 /ruby ... SSL config ... <Location ~ "/publisher/(revalidate|new)"> Header set X-Frame-Options SAMEORIGIN </Location> <Directory /apps/fb-publisher/current/public> ... </Directory> </VirtualHost>
My attempt is to force X-Frame-Options to use SAMEORIGIN for xx.xx.com/publisher/new and xx.xx.com/publisher/revalidate. I tried separate Location and LocationMatch blocks that target separate URLs in addition to the current configuration. I also tried using Header unset (and not set) to remove X-Frame-Options, but it is installed.
As far as I can tell, these are ONLY URLs in the application that return the X-Frame-Options header set to DENY.
Ideas?
source share