I have a website I have built in Django 1.8 which must load in a Box.com iframe. However it is not loading in Chrome and I get the x-frame-options SAMEORIGIN error.

But I have added the following middleware classes:

MIDDLEWARE_CLASSES = (
    # Default Django middleware.
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.locale.LocaleMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
)

and in my views.py added the xframe_options_exempt decorator like so:

@api_view(['GET'])
@xframe_options_exempt
def category_list(request):
    """
    List all categories.
    """
    if request.method == 'GET':
        categories = Category.objects.order_by('-category_type')
        serializer = CategorySerializer(categories, many=True)
        return Response(serializer.data)

Plus I have tried adding the following setting with no luck:

X_FRAME_OPTIONS = 'ALLOW-FROM https://app.box.com/'

Can anyone help me discover why this is still not allowing the page to load? Do I also need to add the decorator function in urls.py like this?

from django.views.decorators.clickjacking import xframe_options_exempt

urlpatterns = patterns('base.views',
    url(r'^categories$', xframe_options_exempt(category_list)),
)