This has to do with Rails 4 enabling additional security protocols by default: http://weblog.rubyonrails.org/2013/2/25/Rails-4-0-beta1/
The setting that breaks iFrames on remote sites is X-Frame-Options. By default, this is set to SAMEORIGIN, which prevents the content from being loading cross domain:
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'SAMEORIGIN'
}
You can read about the new default headers here:
http://edgeguides.rubyonrails.org/security.html#default-headers
In order to allow the iFrame to work cross domain, you can change the default headers to allow X-Frame across domain.
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'ALLOWALL'
}