Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure X-Frame-Options in Django to allow iframe embedding of one view?

People also ask

What is X-frame-options in Django?

Modern browsers honor the X-Frame-Options HTTP header that indicates whether or not a resource is allowed to load within a frame or iframe. If the response contains the header with a value of SAMEORIGIN then the browser will only load the resource in a frame if the request originated from the same site.

What is X-frame-Options deny?

X-Frame-Options:DENY is a header that forbids a page from being displayed in a frame. If your server is configured to send this heading, your sign-on screen will not be allowed to load within the embed codes provided by Credo, which use the iframe HTML element.


You are going in the right direction, but exact decorator which you will need to achieve this is 'xframe_options_exempt'.

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt

@xframe_options_exempt
def ok_to_load_in_a_frame(request):
    return HttpResponse("This page is safe to load in a frame on any site.")

PS: DJango 1.6 is no longer supported. It is good time to get an upgrade.


Apparently you can set a rule in your settings telling the following:

X_FRAME_OPTIONS = 'ALLOW-FROM https://example.com/'

Also nowadays you should consider moving to CSP

Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;

See https://stackoverflow.com/a/25617678/186202