When using django3 for development, because the project front-end page uses the iframe frame, the browser error message is as follows:
Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'
According to the prompt information, it is found that X-Frame-Options=deny is caused.
The X-Frame-Options HTTP response header is used to indicate to the browser whether a page can be displayed in
<object>. Sites can avoid clickjacking attacks by ensuring that the site is not embedded in someone else’s site.
X-Frame-Options has three values:
DENY: Indicates that the page is not allowed to be displayed in the frame, even if it is nested in a page with the same domain name
SAMEORIGIN: Indicates that the page can be displayed in the frame of the page with the same domain name
ALLOW-FROM uri: Indicates that the page can be displayed in the frame of the specified source
According to the above three value descriptions of X-Frame-Options, as long as the X-Frame-Options of django is modified to SAMEORIGIN, then pages with the same domain name can be displayed in a frame.
Clickjacking middleware and decorators provide easy-to-use protection to prevent clickjacking. This type of attack occurs when a malicious site entices users to click on a hidden element of another site that they have loaded into a hidden frame or iframe.
Assume that the online store has a page on which the logged-in user can click "Buy Now" to purchase goods. For convenience, the user chooses to stay logged in at all times. The attacker’s site may create a "I like my little horse" button on one of its pages, and then load the store's page into a transparent iframe, so that the "Buy Now" button is covered in an invisible way on the "I like Pony" button. Pony" button. If a user visits the attacker’s website, clicking on "I like my little horse" will result in inadvertently clicking the "Buy Now" button and purchasing the item without knowing it.
Modern browsers use the X-Frame-Options HTTP header, which indicates whether to allow loading of resources in a frame or iframe. If the response contains a header with a header value, SAMEORIGIN then the browser will only load the resource into the frame when the request originates from the same site. If the header is set to DENY, no matter which site makes the request, the browser will prevent the resource from being loaded into the frame.
In django3.0 version, clickjacking protection is enabled by default. Django provides several ways to include this header in your website response:
If the X-Frame-Options HTTP header has not yet appeared in the response, it is only set by the middleware or view decorator.
To set X-Frame-Options to the same value for all responses in your site, enter
'django.middleware.clickjacking.XFrameOptionsMiddleware' in MIDDLEWARE in
MIDDLEWARE = [ ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ...]
The middleware startproject is enabled in the generated settings file.
By default, the middleware will set the X-Frame-Options header DENY to
HttpResponse for each outgoing.
To allow websites with the same domain name to use frme display, please set the following X_FRAME_OPTIONS:
X_FRAME_OPTIONS = 'SAMEORIGIN'
Specify the view function without setting X-Frame-Options
from django.http import HttpResponse from django.views.decorators.clickjacking import xframe_options_exempt @xframe_options_exempt def ok_to_load_in_a_frame(request): return HttpResponse("This page is safe to load in a frame on any site.")
Specify the view function setting X-Frame-Options
Django provides the following decorators:
from django.views.decorators.clickjacking import xframe_options_deny from django.views.decorators.clickjacking import xframe_options_sameorigin @xframe_options_deny def view_one(request): return HttpResponse("I won't display in any frame!") @xframe_options_sameorigin def view_two(request): return HttpResponse("Display in a frame if it's from the same origin as me.")
If you want to submit a form or access the session cookie in a frame or iframe, you may need to modify the
X_FRAME_OPTIONS = 'SAMEORIGIN'