Skip to content

Commit

Permalink
Fixed #6346 -- Set xframe options exempt on cached response (#6403)
Browse files Browse the repository at this point in the history
  • Loading branch information
@czpython
czpython committed Jun 10, 2018
1 parent 25a6e11 commit 675de13
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 0 deletions.
1 change: 1 addition & 0 deletions AUTHORS
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,7 @@ Contributors (based on gitlog, 497 unique authors):
* martinkosir
* Matas Dailyda
* Mateusz Dereniowski
* Mateusz Kamycki
* Mateusz Marzantowicz
* mathijs
* Matt Chisholm
Expand Down
34 changes: 34 additions & 0 deletions cms/tests/test_page.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1015,6 +1015,40 @@ def test_top_level_page_inherited_xframe_options_are_applied(self):
resp = self.client.get(page.get_absolute_url('en'))
self.assertEqual(resp.get('X-Frame-Options'), 'SAMEORIGIN')

def test_xframe_options_with_cms_page_cache_and_clickjacking_middleware(self):
# Refs: 6346
if getattr(settings, 'MIDDLEWARE', None):
override = {
'MIDDLEWARE': settings.MIDDLEWARE + [
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
}
else:
override = {
'MIDDLEWARE_CLASSES': settings.MIDDLEWARE_CLASSES + [
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
}

override['CMS_PAGE_CACHE'] = True

with self.settings(**override):
page = create_page(
'test page 1',
'nav_playground.html',
'en',
published=True,
xframe_options=Page.X_FRAME_OPTIONS_ALLOW,
)

# Normal response from render_page
resp = self.client.get(page.get_absolute_url('en'))
self.assertEqual(resp.get('X-Frame-Options'), None)

# Response from page cache
resp = self.client.get(page.get_absolute_url('en'))
self.assertEqual(resp.get('X-Frame-Options'), None)

def test_page_used_on_request(self):
"""
The rendered page changes depending on request and
Expand Down
1 change: 1 addition & 0 deletions cms/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ def details(request, slug):
if cache_content is not None:
content, headers, expires_datetime = cache_content
response = HttpResponse(content)
response.xframe_options_exempt = True
response._headers = headers
# Recalculate the max-age header for this cached response
max_age = int(
Expand Down

0 comments on commit 675de13

Please sign in to comment.