djangoherokuiframex-frame-options

What exactly does X_FRAME_OPTIONS = 'SAMEORIGIN'?


I created a site in Django that I deployed on heroku. I am looking to display this site in an iframe in an html page present on my localhost. Which is not done, because the default value of X_FRAME_OPTIONS is DENY which don't autorize this. When I search the internet, I am asked to replace the value DENY with the value SAMEORIGIN. I learned about the official Django documentation from this passage:

Modern browsers respect the X-Frame-Options HTTP header which indicates whether a resource is allowed to load inside a frame or iframe. If the response contains the header with a value of SAMEORIGINthen the browser will only load the resource in a frame if the request comes from the same site.

What I don't understand is that I'm looking to load a site that's on the web from a web page that has an iframe in it and I'm wondering if they mean by this passage in the doc that the site can be loaded by a web page present on the computer that deployed it or can one of the web pages present on the deployed site load it in an iframe, something that I do not understand because I wonder how a site can load itself in an iframe. I especially wonder if this header can allow me to load my site in a web page knowing that this web page has not been deployed unlike the site.


Solution

  • Modern browsers respect Content-Security-Policy frame-ancestors directive. With the retirement of IE there is no longer a need for the inflexible X-Frame-Options.

    For details on how to implement, see the answers to this question: How to configure X-Frame-Options in Django to allow iframe embedding of one view?. You could use the examples to disable X-Frame-Options, but implementing CSP frame-ancestors will make it obsolete in all browsers but IE.

    The value for frame-ancestors could be set to localhost:* or 127.0.0.1.