How to remove the Xframe Options header in django?
I have made a page which has an iframe. Inside the iframe I want to show multiple different links like an article from facebook, or news, or youtube video or any other possible URL. But, due to the Xframe header, I am unable to do so. I referred to the following link:
https://docs.djangoproject.com/en/1.8/ref/clickjacking/
and
Django XFrameOptionsMiddleware (X-Frame-Options) - allow iframe by client IP
but didn't get any help.
My settings.py file's MIDDLEWARE_CLASSES is:
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
From http://django-secure.readthedocs.org/en/latest/middleware.html , I found that using the decorator @frame_deny_exempt my problem can be solved. Still, I am getting the same error in chrome console i.e.
Refused to display '<URL>' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
Any help with this??
Answer
I have a couple of Django sites and someone wanted to show them in an iframe. It was not possible because of the "x-frame-options" header values is always SAMEORIGIN. I could not remove the "x-frame-options" header value no matter what I did.
So finally I decided to do the last resort solution, which is to modify httpd.conf. I added this line:
Header always set X-Frame-Options ALLOWALL
And it is shown in an iframe.