Conversation
zachmargolis
requested review from
jmdembe,
jmhooper,
mdiarra3,
mitchellhenke and
stevegsa
There was a problem hiding this comment.
Is there any way to make these route specific? If it's anything like the CSP headers, I worry the development-specific allowances risk giving us a false sense that things are working correctly. That being said, I doubt we'll have much use for frames outside these previews 🤷
There was a problem hiding this comment.
There's an allow-from option, so I can try that
There was a problem hiding this comment.
oh wait allow-from is obsolete: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
would you prefer ALLOWALL or SAMEORIGIN? I feel like they're roughly the same level of risk since in local development everything is from the same origin, so we can't quite list the specific pages?
There was a problem hiding this comment.
Pardon my ignorance of the feature: Is it limited to specific environments out-of-the-box?
There was a problem hiding this comment.
Yeah, it's limited to development by default, but I'm not finding any direct documentation, only indirect documentation (ex stackoverflow for enabling it in prod which implies it's not enabled in prod, and this tutorial)
- Include specs to make sure we implement them in the future
zachmargolis
force-pushed
the
margolis-mailer-preview
branch
from
cfdf799 to
e3f8312
Compare
zachmargolis
changed the base branch from
margolis-lg-4886-interpolate-logingov
to
main
|
Code climate is lagging... going to admin merge |
2 participants
I wanted a way to investigate #5498 (comment), so I remembered this nifty Rails feature: mailer previews!
lets us do cool things like check the plain-text equivalent and see in other languages