X_FRAME_OPTIONS settings parameter prevents plugin's ModelAdmin from model. #1351

Closed
lukasbuenger opened this Issue Jul 19, 2012 · 3 comments

Comments

Projects
None yet
2 participants

The Django settings parameter X_FRAME_OPTIONS(https://docs.djangoproject.com/en/dev/ref/clickjacking/#setting-x-frame-options-for-all-responses) which got introduced with 1.4 prevents the inline ModelAdmins of every plugin from loading.

Contributor

beniwohli commented Jul 19, 2012

Hi,

that's only true if you set X_FRAME_OPTIONS to 'DENY'. The default is SAMEORIGIN, which according to my short test, does work.

The CMS admin requires iframes, there is no way around it.

Contributor

beniwohli commented Jul 19, 2012

OK, on a second thought, it would probably make sense to decorate PageAdmin.edit_plugin and PlaceholderAdmin.edit_plugin with xframe_options_sameorigin, with a noop fallback for Django 1.3

That's just what I thought! It doesn't make much sense to me to deny the whole app the strict setting simply because of some admin views depending on a 'SAMEORIGIN' setting, especially with the nice decorators at hand.

@digi604 digi604 referenced this issue Apr 8, 2013

Merged

fixes #1351 #1699

@digi604 digi604 closed this in 0989a7a Apr 8, 2013

schneck added a commit to schneck/django-cms that referenced this issue Jul 13, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment