Re: [Django] #14261: Add clickjacking protection (X-Frame-Options header)
Django
-------------------------------------+-------------------------------------
Reporter: rniemeyer | Owner: rniemeyer
Type: New | Status: assigned
feature | Component: HTTP handling
Milestone: | Severity: Normal
Version: 1.2 | Keywords: clickjacking
Resolution: | x_frame_options
Triage Stage: Accepted | Has patch: 1
Needs documentation: 1 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
-------------------------------------+-------------------------------------
Changes (by lukeplant):
* needs_better_patch: 1 => 0
* easy: => 0
Comment:
Thanks for the great patch, I will commit it shortly.
I did have to change a fair number of things - it was easier for me to do
so because I'm familiar with all our standards etc. Since I'd like to
encourage you to continue contributing to Django, but want to make it
easier to add your contributions, I've included below the list of things I
changed, mainly to highlight things you probably wouldn't have been aware
of:
* Docs:
* wrapped to 80 characters, as per our
[https://docs.djangoproject.com/en/dev/internals/contributing/writing-
documentation/ guidelines for writing docs]
* added some blanklines after headers. This makes it easier to re-wrap
in editors, and is consistent with the rest of our docs.
* corrected some indentation, so that lists appeared correctly
formatted.
* moved the main docs file out of the contrib directory - that's for
contrib apps. (The CSRF docs are currently in the wrong place, because
that **used** to be a contrib app, but now is core, and I don't think
we've got a good way of doing re-direction yet).
* added a 'versionadded' Sphinx directive
* fixed some Python syntax errors (noticed from the lack of code
highlighting in the built docs.)
* used standard capitalization of X-Frame-Options throughout.
* other misc spelling corrections to docs.
* added section to ref/middleware.txt
* added section to ref/settings.txt
* Code:
* added setting to django/conf/global_settings.py
* removed trailing whitespace in various files. (You can often configure
your editor to show this, and most colorized diff tools, like
[http://colordiff.sourceforge.net/ colordiff], will highlight this - they
can often be used in conjuction with 'svn diff' etc.).
* used standard capitalization of X-Frame-Options in response header.
* changed tearDown in tests so that it restores the original value of
the setting (which will now always be there, since we added it to
gloab_settings.py), rather than remove any setting.
* removed a Python 2.4 fallback that's no longer necessary.
And also:
* as discussed, I added the middleware to the project template, commented
out.
* added this to the release notes, as a worthy feature addition.
* added you to AUTHORS. I put your Google profile as the link - please say
if you'd prefer your e-mail address or a different website.
Finally, as a matter of process, you should update the 'Patch needs
improvement/Needs docs/Needs tests' flags when you think you've addressed
any issues - otherwise the committers will generally wait for the original
author to fix the patch up unless they are particularly motivated about
the feature/bug.
--
Ticket URL: <https://code.djangoproject.com/ticket/14261#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: rniemeyer | Owner: rniemeyer
Milestone: | Severity: Normal
Version: 1.2 | Keywords: clickjacking
Needs documentation: 1 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
-------------------------------------+-------------------------------------
Changes (by lukeplant):
* status: assigned => closed
* resolution: => fixed
Comment:
In [16298]:
{{{
#!CommitTicketReference repository="" revision="16298"
Fixed #14261 - Added clickjacking protection (X-Frame-Options header)
Many thanks to rniemeyer for the patch!
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/14261#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: rniemeyer | Owner: rniemeyer
Component: HTTP handling | Version: 1.2
Severity: Normal | Resolution: fixed
Keywords: clickjacking | Triage Stage: Accepted
x_frame_options | Needs documentation: 1
Has patch: 1 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Changes (by jfialkoff):
* ui_ux: => 0
Comment:
Hopefully I'm not missing it, but it seems like this page
(https://docs.djangoproject.com/en/dev/ref/clickjacking/) should mention
the exempt decorator but does not.
--
Ticket URL: <https://code.djangoproject.com/ticket/14261#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: rniemeyer | Owner: rniemeyer
Type: New feature | Status: closed
Component: HTTP handling | Version: 1.2
Severity: Normal | Resolution: fixed
Keywords: clickjacking | Triage Stage: Accepted
x_frame_options | Needs documentation: 1
Has patch: 1 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 0 |
-------------------------------------+-------------------------------------
Comment (by timo):
I see `@xframe_options_exempt` on that page.
--
Ticket URL: <https://code.djangoproject.com/ticket/14261#comment:12>