I have made a page which has an iframe. Inside the iframe I want to show multiple different links like an article from facebook, or news, or youtube video or any other possible URL. But, due to the Xframe header, I am unable to do so. I referred to the following link:
https://docs.djangoproject.com/en/1.8/ref/clickjacking/
and
Django XFrameOptionsMiddleware (X-Frame-Options) - allow iframe by client IP
but didn't get any help.
My settings.py file's MIDDLEWARE_CLASSES is:
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
From http://django-secure.readthedocs.org/en/latest/middleware.html , I found that using the decorator @frame_deny_exempt my problem can be solved. Still, I am getting the same error in chrome console i.e.
Refused to display '<URL>' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
Any help with this??
You got something wrong here if I understand well. X-Frame-Options is about the browser honouring your header on whether your site will be allowed within an iframe rather than allowing a third site within your iframe.
Respectively, this happens from the other site's headers. So for example facebook has set the above header to DENY and therefore any browser honouring this will not allow your site to present it no matter what your site's headers are.