Override X-Frame-Options specifically for the rack-elevation SVG view (…

…#943) * Fix #939 - override X-Frame-Options specifically for the rack-elevation SVG view * Re-add warning in docs
nautobot · Sep 24, 2021 · 5b0f6db · 5b0f6db
1 parent 64fb2a2
commit 5b0f6db
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/nautobot/core/settings.py b/nautobot/core/settings.py
@@ -381,7 +381,7 @@
 WSGI_APPLICATION = "nautobot.core.wsgi.application"
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 USE_X_FORWARDED_HOST = True
-X_FRAME_OPTIONS = "SAMEORIGIN"
+X_FRAME_OPTIONS = "DENY"
 
 # Static files (CSS, JavaScript, Images)
 STATIC_ROOT = os.path.join(NAUTOBOT_ROOT, "static")

diff --git a/nautobot/dcim/api/views.py b/nautobot/dcim/api/views.py
@@ -5,6 +5,7 @@
 from django.db.models import F
 from django.http import HttpResponseForbidden, HttpResponse
 from django.shortcuts import get_object_or_404
+from django.views.decorators.clickjacking import xframe_options_sameorigin
 from drf_yasg import openapi
 from drf_yasg.openapi import Parameter
 from drf_yasg.utils import swagger_auto_schema
@@ -198,6 +199,7 @@ class RackViewSet(StatusViewSetMixin, CustomFieldModelViewSet):
         query_serializer=serializers.RackElevationDetailFilterSerializer,
     )
     @action(detail=True)
+    @xframe_options_sameorigin
     def elevation(self, request, pk=None):
         """
         Rack elevation representing the list of rack units. Also supports rendering the elevation as an SVG.

diff --git a/nautobot/docs/installation/selinux-troubleshooting.md b/nautobot/docs/installation/selinux-troubleshooting.md
@@ -183,6 +183,6 @@ Content-Length: 18698
 Connection: keep-alive
 X-Content-Type-Options: nosniff
 Referrer-Policy: same-origin
-X-Frame-Options: SAMEORIGIN
+X-Frame-Options: DENY
 Vary: Cookie, Origin
 ```