Tuesday, August 2, 2011

x-frame-options old notes

Taken from old mozsecworld.org page on x-frame-options

What to do

Add in this line to your HTTP Response Headers: X-Frame-Options: deny


How to check

Firefox's Firebug or Chrome's "Inspect Elements": Go to "Net" option, refresh page, and click on the link that shows up, select "Headers" and you should see "X-Frame-Options: DENY" under "Response Headers"

Terminal: >telnet [insert IP-address of your site] 8000 Press enter and put in GET /en-US/msw/ HTTP/1.1 Press enter twice, and scroll to the very top of the output, should see "x-frame-options: DENY".

What I did

Playdoh automatically sets the "X-Frame-Options" to "deny". But if you want to set it automatically in Django, use response['x-frame-options'] = 'DENY'


In views.py:
# X-Frame-Options
def xfo_deny(request):
    html = " ... my html stuff ... "
    response = HttpResponse(html)
    response['x-frame-options'] = 'DENY'
    return response

Notes on how Django does x-frame-options

In vendor/src/commonware/commonware/response/middleware.py:

from django.conf import settings

class FrameOptionsHeader(object):
    """
    Set an X-Frame-Options header. Default to DENY. Set
    response['x-frame-options'] = 'SAMEORIGIN'
    to override.
    """

    def process_response(self, request, response):
        if hasattr(response, 'no_frame_options'):
            return response

        if not 'x-frame-options' in response:
            response['x-frame-options'] = 'DENY'

In vendor/src/commonware/commonware/response/decorators.py:

from functools import wraps

from django.utils.decorators import available_attrs


def xframe_sameorigin(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response['x-frame-options'] = 'SAMEORIGIN'
        return response
    return _wrapped_view


def xframe_allow(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response.no_frame_options = True
        return response
    return _wrapped_view


def xframe_deny(view_fn):
    @wraps(view_fn, assigned=available_attrs(view_fn))
    def _wrapped_view(request, *args, **kwargs):
        response = view_fn(request, *args, **kwargs)
        response['x-frame-options'] = 'DENY'
        return response
    return _wrapped_view
Posted by HaoQi Li at 8/02/2011 03:37:00 PM
Labels: ,

1 comment:

  1. Catpops Designs | Web Development TutorialsNovember 2, 2013 at 5:09 AM

    how to disable the xframe option from a webpage dynamically .. using javascript

    ReplyDelete

Subscribe to: Post Comments (Atom)