PHPFixing
  • Privacy Policy
  • TOS
  • Ask Question
  • Contact Us
  • Home
  • PHP
  • Programming
  • SQL Injection
  • Web3.0

Saturday, December 3, 2022

[FIXED] What exactly does X_FRAME_OPTIONS = 'SAMEORIGIN'?

 December 03, 2022     django, heroku, iframe, x-frame-options     No comments   

Issue

I created a site in Django that I deployed on heroku. I am looking to display this site in an iframe in an html page present on my localhost. Which is not done, because the default value of X_FRAME_OPTIONS is DENY which don't autorize this. When I search the internet, I am asked to replace the value DENY with the value SAMEORIGIN. I learned about the official Django documentation from this passage:

Modern browsers respect the X-Frame-Options HTTP header which indicates whether a resource is allowed to load inside a frame or iframe. If the response contains the header with a value of SAMEORIGINthen the browser will only load the resource in a frame if the request comes from the same site.

What I don't understand is that I'm looking to load a site that's on the web from a web page that has an iframe in it and I'm wondering if they mean by this passage in the doc that the site can be loaded by a web page present on the computer that deployed it or can one of the web pages present on the deployed site load it in an iframe, something that I do not understand because I wonder how a site can load itself in an iframe. I especially wonder if this header can allow me to load my site in a web page knowing that this web page has not been deployed unlike the site.


Solution

Modern browsers respect Content-Security-Policy frame-ancestors directive. With the retirement of IE there is no longer a need for the inflexible X-Frame-Options.

For details on how to implement, see the answers to this question: How to configure X-Frame-Options in Django to allow iframe embedding of one view?. You could use the examples to disable X-Frame-Options, but implementing CSP frame-ancestors will make it obsolete in all browsers but IE.

The value for frame-ancestors could be set to localhost:* or 127.0.0.1.



Answered By - Halvor Sakshaug
Answer Checked By - Robin (PHPFixing Admin)
  • Share This:  
  •  Facebook
  •  Twitter
  •  Stumble
  •  Digg
Newer Post Older Post Home

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...

Subscribe To

Posts
Atom
Posts
Comments
Atom
Comments

Copyright © PHPFixing