Login/Register
How to remove the Xframe Options header in django?
Asked Answered
Solved pythondjangoiframex-frame-optionsclickjacking
C

3

14

I have made a page which has an iframe. Inside the iframe I want to show multiple different links like an article from facebook, or news, or youtube video or any other possible URL. But, due to the Xframe header, I am unable to do so. I referred to the following link: https://docs.djangoproject.com/en/1.8/ref/clickjacking/ and Django XFrameOptionsMiddleware (X-Frame-Options) - allow iframe by client IP

but didn't get any help.

My settings.py file's MIDDLEWARE_CLASSES is:

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
)

From http://django-secure.readthedocs.org/en/latest/middleware.html , I found that using the decorator @frame_deny_exempt my problem can be solved. Still, I am getting the same error in chrome console i.e. Refused to display '<URL>' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.

Any help with this??

Cordiality answered 2/7, 2015 at 6:56 Comment(0)
E
3

You got something wrong here if I understand well. X-Frame-Options is about the browser honouring your header on whether your site will be allowed within an iframe rather than allowing a third site within your iframe.

Respectively, this happens from the other site's headers. So for example facebook has set the above header to DENY and therefore any browser honouring this will not allow your site to present it no matter what your site's headers are.

Eldoree answered 2/7, 2015 at 8:10 Comment(1)
You are right. Thanks a lot for clarifying my problem... :)Cordiality
W
9

Remove django.middleware.clickjacking.XFrameOptionsMiddleware from MIDDLEWARE list in settings.py

Weide answered 6/5, 2020 at 10:54 Comment(1)
Hoooolly thanks ! NGINX and Django where sending both DENY, so the header was X-Frame-Options DENY, DENY ...Pen
E
4

I have a couple of Django sites and someone wanted to show them in an iframe. It was not possible because of the "x-frame-options" header values is always SAMEORIGIN. I could not remove the "x-frame-options" header value no matter what I did.

So finally I decided to do the last resort solution, which is to modify httpd.conf. I added this line:

  Header always set X-Frame-Options ALLOWALL

And it is shown in an iframe.

Equality answered 14/8, 2015 at 3:4 Comment(0)
E
3

You got something wrong here if I understand well. X-Frame-Options is about the browser honouring your header on whether your site will be allowed within an iframe rather than allowing a third site within your iframe.

Respectively, this happens from the other site's headers. So for example facebook has set the above header to DENY and therefore any browser honouring this will not allow your site to present it no matter what your site's headers are.

Eldoree answered 2/7, 2015 at 8:10 Comment(1)
You are right. Thanks a lot for clarifying my problem... :)Cordiality

© 2022 - 2024 — McMap. All rights reserved.