Geek Answers Handbook

How to remove Xframe Options header in django?

I made a page with iframe . Inside the iframe I want to show several different links, such as an article from facebook, or news, or a video on YouTube, or any other possible URL. But because of the Xframe header, I cannot do this. I referenced the following link: https://docs.djangoproject.com/en/1.8/ref/clickjacking/ as well as Django XFrameOptionsMiddleware (X-Frame-Options) - allow iframe by client IP

but did not receive any help.

My settings.py MIDDLEWARE_CLASSES file:

 MIDDLEWARE_CLASSES = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', )

From http://django-secure.readthedocs.org/en/latest/middleware.html I found that using the @frame_deny_exempt decorator my problem can be solved. However, I get the same error in the chrome console, i.e. Refused to display '<URL>' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.

Any help with this?

+8
python django iframe x-frame-options clickjacking
source share
3 answers

You have something wrong if I understand well. X-Frame-Options refers to the fact that the browser respects your header about whether your site will be allowed in the iframe, and not allow the third site in your iframe.

Accordingly, this comes from other site titles. So, for example, facebook set the above header to DENY , and therefore any browser that respects this will not allow your site to present it no matter what the headers of your site.

+1
source share

I have several Django sites and someone wants to show them in an iframe. This is not possible because the value of the "x-frame-options" header is always SAMEORIGIN. I was not able to remove the value of the header "x-frame-options" no matter what I did.

So, finally, I decided to make the last resort decision, which should change httpd.conf. I added this line:

   Header always set X-Frame-Options ALLOWALL

And this is shown in the iframe.

+4
source share

so i have to remove the django click jacking middleware from the project.

0
source share

More articles:


All Articles