MCPcopy
hub / github.com/django/django / XFrameOptionsMiddleware

Class XFrameOptionsMiddleware

django/middleware/clickjacking.py:12–48  ·  view source on GitHub ↗

Set the X-Frame-Options HTTP header in HTTP responses. Do not set the header if it's already set or if the response contains a xframe_options_exempt value set to True. By default, set the X-Frame-Options header to 'DENY', meaning the response cannot be displayed in a frame, re

Source from the content-addressed store, hash-verified

10
11
12class XFrameOptionsMiddleware(MiddlewareMixin):
13 """
14 Set the X-Frame-Options HTTP header in HTTP responses.
15
16 Do not set the header if it's already set or if the response contains
17 a xframe_options_exempt value set to True.
18
19 By default, set the X-Frame-Options header to 'DENY', meaning the response
20 cannot be displayed in a frame, regardless of the site attempting to do so.
21 To enable the response to be loaded on a frame within the same site, set
22 X_FRAME_OPTIONS in your project's Django settings to 'SAMEORIGIN'.
23 """
24
25 def process_response(self, request, response):
26 # Don't set it if it's already in the response
27 if response.get("X-Frame-Options") is not None:
28 return response
29
30 # Don't set it if they used @xframe_options_exempt
31 if getattr(response, "xframe_options_exempt", False):
32 return response
33
34 response.headers["X-Frame-Options"] = self.get_xframe_options_value(
35 request,
36 response,
37 )
38 return response
39
40 def get_xframe_options_value(self, request, response):
41 """
42 Get the value to set for the X_FRAME_OPTIONS header. Use the value from
43 the X_FRAME_OPTIONS setting, or 'DENY' if not set.
44
45 This method can be overridden if needed, allowing it to vary based on
46 the request or response.
47 """
48 return getattr(settings, "X_FRAME_OPTIONS", "DENY").upper()

Calls

no outgoing calls