How to configure X-Frame-Options in Django to allow iframe embedding of one view?

Question

I'm trying to enable django to allow one specific view to be embedded on external sites, preferabilly without sites restrictions.

In my views.py file, I have added the following code, where the view futurebig is the one I want to enable to be embedded:

from django.views.decorators.clickjacking import xframe_options_sameorigin
...
@xframe_options_sameorigin
def futurebig(request):
    ...
    return render_to_response('templates/iframe/future_clock_big.html', context_dict, context)

which doesn't help as I understand because it only enables embedding in the same server.

How can I set the headers for that specific view to enable it to be embedded in any website?

For the record, I'm just a frontend developer, the backend developer who developed the site is no longer working with me and refused to document his code, so, If anyone could help me and explain carefully where and what modifications I should do, I'll apreciatte it very much.

Thanks.

As far as I know, the Django version is 1.6

score 84 · Accepted Answer · answered Oct 21 '15 at 19:44

84

You are going in the right direction, but exact decorator which you will need to achieve this is 'xframe_options_exempt'.

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt

@xframe_options_exempt
def ok_to_load_in_a_frame(request):
    return HttpResponse("This page is safe to load in a frame on any site.")

PS: DJango 1.6 is no longer supported. It is good time to get an upgrade.

answered Oct 21 '15 at 19:44

iankit

8,806
10
50
56

8

I think, we need decorator for ALLOW-FROM of iframe options https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/X-Frame-Options to define acceptable domains, not just remove X-Frame Header, please, somebody, create ticket (i have no access) – LennyLip Sep 11 '16 at 07:20

score 26 · Answer 2 · answered Feb 09 '18 at 14:05

26

Apparently you can set a rule in your settings telling the following:

X_FRAME_OPTIONS = 'ALLOW-FROM https://example.com/'

Also nowadays you should consider moving to CSP

Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;

See https://stackoverflow.com/a/25617678/186202

answered Feb 09 '18 at 14:05

Natim

17,274
23
92
150

3

ALLOW-FROM will not support chrome and safari – Sarath Ak Nov 15 '18 at 12:12
And ALLOW-FROM should NOT be used anymore: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options . As the @Natim said: Move to CSP! – Adrian Oct 27 '21 at 11:43

score 0 · Answer 3 · answered Feb 13 '21 at 20:08

If you want to allow the frame in specific view you can add Content-Security-Policy to your view response, so your code will be something like this

def MyView(request):
    ....
    ....
    response = render(request,'MyViewHtml.html' ,{...})
    response ['Content-Security-Policy'] = "frame-ancestors 'self' https://example.com"

How to configure X-Frame-Options in Django to allow iframe embedding of one view?

3 Answers3

Linked