Opened 15 hours ago
Closed 14 hours ago
#36160 closed Uncategorized (needsinfo)
Django serve view does not respect X_FRAME_OPTIONS = "SAMEORIGIN"
| Reported by: | Mirat Can Bayrak | Owned by: | |
|---|---|---|---|
| Component: | contrib.staticfiles | Version: | 5.1 |
| Severity: | Normal | Keywords: | static, headers |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In my Django project, I needed to display an uploaded file inside an <iframe>. However, I noticed that Django's built-in serve view does not respect the X_FRAME_OPTIONS = "SAMEORIGIN" setting, which prevents the file from being embedded in an iframe.
After investigating, I found that the serve view in Django does not modify the response headers related to X_FRAME_OPTIONS, meaning it defaults to Django's global security settings.
Serve view:
FileResponse implementation:
Since serve acts as a wrapper around FileResponse, I expected it to either respect X_FRAME_OPTIONS or provide a way to override it.
Would it be possible to modify the serve view to allow overriding X_FRAME_OPTIONS explicitly?
Note:
See TracTickets
for help on using tickets.
Can you share a minimal reproducible example/code snippets?
There is a section which documents how you can use either the
X_FRAME_OPTIONSsetting or the@xframe_options_exemptdecorator to customize the behavior. I would need to know whether you are using these and what the results are.