Modern browsers honor the X-Frame-Options HTTP header that indicates whether or not a resource is allowed to load within a frame or iframe. If the response contains the header with a value of SAMEORIGIN then the browser will only load the resource in a frame if the request originated from the same site.
X-Frame-Options:DENY is a header that forbids a page from being displayed in a frame. If your server is configured to send this heading, your sign-on screen will not be allowed to load within the embed codes provided by Credo, which use the iframe HTML element.
You are going in the right direction, but exact decorator which you will need to achieve this is 'xframe_options_exempt'.
from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt
@xframe_options_exempt
def ok_to_load_in_a_frame(request):
return HttpResponse("This page is safe to load in a frame on any site.")
PS: DJango 1.6 is no longer supported. It is good time to get an upgrade.
Apparently you can set a rule in your settings telling the following:
X_FRAME_OPTIONS = 'ALLOW-FROM https://example.com/'
Also nowadays you should consider moving to CSP
Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;
See https://stackoverflow.com/a/25617678/186202
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With