Fixed #30426 -- Made X_FRAME_OPTIONS default to DENY.

django · Sep 7, 2019 · 7ef92ef · 7ef92ef
1 parent 4a954cf
commit 7ef92ef
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 10 deletions.
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
@@ -415,7 +415,7 @@ def gettext_noop(s):
 DEFAULT_INDEX_TABLESPACE = ''
 
 # Default X-Frame-Options header value
-X_FRAME_OPTIONS = 'SAMEORIGIN'
+X_FRAME_OPTIONS = 'DENY'
 
 USE_X_FORWARDED_HOST = False
 USE_X_FORWARDED_PORT = False

diff --git a/django/middleware/clickjacking.py b/django/middleware/clickjacking.py
@@ -37,9 +37,9 @@ def process_response(self, request, response):
     def get_xframe_options_value(self, request, response):
         """
         Get the value to set for the X_FRAME_OPTIONS header. Use the value from
-        the X_FRAME_OPTIONS setting, or 'SAMEORIGIN' if not set.
+        the X_FRAME_OPTIONS setting, or 'DENY' if not set.
 
         This method can be overridden if needed, allowing it to vary based on
         the request or response.
         """
-        return getattr(settings, 'X_FRAME_OPTIONS', 'SAMEORIGIN').upper()
+        return getattr(settings, 'X_FRAME_OPTIONS', 'DENY').upper()
diff --git a/docs/ref/clickjacking.txt b/docs/ref/clickjacking.txt
@@ -67,10 +67,14 @@ This middleware is enabled in the settings file generated by
 :djadmin:`startproject`.
 
 By default, the middleware will set the ``X-Frame-Options`` header to
-``SAMEORIGIN`` for every outgoing ``HttpResponse``. If you want ``DENY``
-instead, set the :setting:`X_FRAME_OPTIONS` setting::
+``DENY`` for every outgoing ``HttpResponse``. If you want any other value for
+this header instead, set the :setting:`X_FRAME_OPTIONS` setting::
 
-    X_FRAME_OPTIONS = 'DENY'
+    X_FRAME_OPTIONS = 'SAMEORIGIN'
+
+.. versionchanged:: 3.0
+
+    The default value changed from ``SAMEORIGIN`` to ``DENY``.
 
 When using the middleware there may be some views where you do **not** want the
 ``X-Frame-Options`` header set. For those cases, you can use a view decorator
@@ -116,6 +120,7 @@ Browsers that support ``X-Frame-Options``
 -----------------------------------------
 
 * Internet Explorer 8+
+* Edge 12+
 * Firefox 3.6.9+
 * Opera 10.5+
 * Safari 4+

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
@@ -2795,12 +2795,16 @@ and :setting:`MONTH_DAY_FORMAT`.
 ``X_FRAME_OPTIONS``
 -------------------
 
-Default: ``'SAMEORIGIN'``
+Default: ``'DENY'``
 
 The default value for the X-Frame-Options header used by
 :class:`~django.middleware.clickjacking.XFrameOptionsMiddleware`. See the
 :doc:`clickjacking protection </ref/clickjacking/>` documentation.
 
+.. versionchanged:: 3.0
+
+    The default value changed from ``SAMEORIGIN`` to ``DENY``.
+
 
 Auth
 ====

diff --git a/docs/releases/3.0.txt b/docs/releases/3.0.txt
@@ -535,6 +535,13 @@ upload handler is used.
 ``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
 inconsistency.
 
+New default value for the ``X_FRAME_OPTIONS`` setting
+-----------------------------------------------------
+
+In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to
+``SAMEORIGIN``. To make Django projects more secure by default, the setting now
+defaults to ``DENY``.
+
 Miscellaneous
 -------------
 

diff --git a/tests/middleware/tests.py b/tests/middleware/tests.py
@@ -621,12 +621,12 @@ def test_deny(self):
     def test_defaults_sameorigin(self):
         """
         If the X_FRAME_OPTIONS setting is not set then it defaults to
-        SAMEORIGIN.
+        DENY.
         """
         with override_settings(X_FRAME_OPTIONS=None):
             del settings.X_FRAME_OPTIONS    # restored by override_settings
             r = XFrameOptionsMiddleware().process_response(HttpRequest(), HttpResponse())
-            self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
+            self.assertEqual(r['X-Frame-Options'], 'DENY')
 
     def test_dont_set_if_set(self):
         """

diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py
@@ -39,5 +39,5 @@ def test_middleware_headers(self):
                 b'Content-Length: 0',
                 b'Content-Type: text/html; charset=utf-8',
                 b'X-Content-Type-Options: nosniff',
-                b'X-Frame-Options: SAMEORIGIN',
+                b'X-Frame-Options: DENY',
             ])