Merge pull request #4168 from yakky/feature/backport_4142

Backport #4142
django-cms · Jun 7, 2015 · 3a76b53 · 3a76b53
2 parents 05369ad + 3b34e78
commit 3a76b53
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/cms/tests/page.py b/cms/tests/page.py
@@ -952,6 +952,13 @@ def test_xframe_options_inherit_with_parent(self):
         resp = self.client.get(page.get_absolute_url('en'))
         self.assertEqual(resp.get('X-Frame-Options'), 'DENY')
 
+    def test_top_level_page_inherited_xframe_options_are_applied(self):
+        with SettingsOverride(MIDDLEWARE_CLASSES=settings.MIDDLEWARE_CLASSES + ['django.middleware.clickjacking.XFrameOptionsMiddleware']):
+            page = create_page('test page 1', 'nav_playground.html', 'en',
+                               published=True)
+            resp = self.client.get(page.get_absolute_url('en'))
+            self.assertEqual(resp.get('X-Frame-Options'), 'SAMEORIGIN')
+
 class PageAdminTestBase(CMSTestCase):
     """
     The purpose of this class is to provide some basic functionality

diff --git a/cms/views.py b/cms/views.py
@@ -206,7 +206,9 @@ def details(request, slug):
 
     # Add headers for X Frame Options - this really should be changed upon moving to class based views
     xframe_options = page.get_xframe_options()
-    if xframe_options == Page.X_FRAME_OPTIONS_INHERIT:
+    # xframe_options can be None if there's no xframe information on the page
+    # (eg. a top-level page which has xframe options set to "inherit")
+    if xframe_options == Page.X_FRAME_OPTIONS_INHERIT or xframe_options is None:
         # This is when we defer to django's own clickjacking handling
         return response