Refused to display iframe or embed tag in django 3.0 and chrome

Question

I had a django app that used an iframe to display a pdf stored in my local machine, something like this:

<embed src="path_to_file.pdf" type="application/pdf">

Everything worked just fine in all supported browsers... Until today.

The app suddenly stopped working on Chrome and the console displays the message Refused to display 'path_to_file.pdf' in a frame because it set 'X-Frame-Options' to 'deny'.

In other browsers it's still working as usual. I don't know if Chrome just made an update or what changed but it is not working anymore. ¡Any help would be appreciated!

Answer 1

After going through a lot of similar questions and trying lots of different things, I finally found a solution for my problem thanks to the django documentation.

Since Django 3.0. The default value of the X_FRAME_OPTIONS setting was changed from SAMEORIGIN to DENY.

So I just had to add X_FRAME_OPTIONS = 'SAMEORIGIN' to settings.py and the problem was gone.

I still don't know what change made my code stop working because I already used django 3.0 version since it was released, probably it was a Chrome update.

Answer 2

Recording an incident here specifically with a Vimeo embedded video. I needed to set SECURE_REFERRER_POLICY to None. The default was changed in Django 3.1.