Override X-Frame-Options specifically for the rack-elevation SVG view #943
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Screenshots showing that for requests (such as the base Rack detail view) we are now defaulting to DENY (see the bottom right of each image):
but for the SVG rendering specifically we are using SAMEORIGIN:
|
jedelman8
approved these changes
Sep 24, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #939
Instead of setting
X_FRAME_OPTIONS = "SAMEORIGIN"globally, which Django complains about as a generalized security risk, change the global default back to the recommended setting of"DENY"and use a Django view decorator to specifically set"SAMEORIGIN"for the one view (rack-elevation SVG rendering) where it's needed.