GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
The Django settings parameter X_FRAME_OPTIONS(https://docs.djangoproject.com/en/dev/ref/clickjacking/#setting-x-frame-options-for-all-responses) which got introduced with 1.4 prevents the inline ModelAdmins of every plugin from loading.
that's only true if you set X_FRAME_OPTIONS to 'DENY'. The default is SAMEORIGIN, which according to my short test, does work.
The CMS admin requires iframes, there is no way around it.
OK, on a second thought, it would probably make sense to decorate PageAdmin.edit_plugin and PlaceholderAdmin.edit_plugin with xframe_options_sameorigin, with a noop fallback for Django 1.3
That's just what I thought! It doesn't make much sense to me to deny the whole app the strict setting simply because of some admin views depending on a 'SAMEORIGIN' setting, especially with the nice decorators at hand.