Fork me on GitHub

There don't seem to be any docs, either on the website, or in the book, on how to use the ajax file that comes with the luminus template.


Is it as simple as calling load-interceptors at some point in your application prior to making ajax calls?


It also seems to me that js/csrfToken wouldn't even work in advanced compilation mode.


So is the ajax file from the template even useful, if using advanced compilation mode?


the ajax namespace is just there to setup the interceptors, you don’t really need to do anything with it unless you wish to add more inteceptors


the js/csrfToken reference still works with advanced compilation as well


Thanks. What are the rules about which js/* forms get mangled by advanced and which don't? I thought almost nothing was safe from advanced.


I'm working with a company who will be including my luminus site inside of an iframe. Currently, they are getting an error that x-frame-options is set to same origin. I'm researching how to address this, and it looks like there is some ring middleware to allow specific origins, but there are all sorts of warnings that allow-from isn't supported by certain browsers. I'm not sure what that means that it is not supported -- does it mean browsers like Chrome won't be able to load the iframe or they will. Next, I see some talk about Chrome supporting something called CSP instead. Is there some unified way of dealing with all of this?


oh I actually had to deal with the x-frame-options stuff recently


not sure if there’s any unified way to handle it


setting (header "Access-Control-Allow-Origin" "origin") where origin is the host should address that


and you can use * for any origin


if you’re using ring-defaults, you also have to create your own defaults with different :frame-options

:security  {:anti-forgery         false
               :xss-protection       {:enable? true, :mode :block}
               :frame-options        :sameorigin
               :content-type-options :nosniff}


Yes, I'm using the luminus template which uses ring-defaults.


What you listed above, is that the existing default, or what you are recommending I change to?


Looks like the luminus template sets :anti-forgery to false, handling the anti-forgery in a separate piece of middleware instead. :xss-protection, :frame-options, and :content-type-options stay the same as the default, which is what you listed above.


Do you happen to know whether the X-Frame-Options: ALLOW-FROM header would prevent the frame from including it if the user had used https?


Since several browsers do not respect ALLOW-FROM, have you tried using frame-ancestors instead, with ring/luminus?