diff options
Diffstat (limited to 'docs/ref/clickjacking.txt')
-rw-r--r-- | docs/ref/clickjacking.txt | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/ref/clickjacking.txt b/docs/ref/clickjacking.txt index 6f505e2fae..f9bec591a7 100644 --- a/docs/ref/clickjacking.txt +++ b/docs/ref/clickjacking.txt @@ -59,7 +59,7 @@ To set the same ``X-Frame-Options`` value for all responses in your site, put MIDDLEWARE = [ ..., - 'django.middleware.clickjacking.XFrameOptionsMiddleware', + "django.middleware.clickjacking.XFrameOptionsMiddleware", ..., ] @@ -70,7 +70,7 @@ By default, the middleware will set the ``X-Frame-Options`` header to ``DENY`` for every outgoing ``HttpResponse``. If you want any other value for this header instead, set the :setting:`X_FRAME_OPTIONS` setting:: - X_FRAME_OPTIONS = 'SAMEORIGIN' + X_FRAME_OPTIONS = "SAMEORIGIN" When using the middleware there may be some views where you do **not** want the ``X-Frame-Options`` header set. For those cases, you can use a view decorator @@ -79,6 +79,7 @@ that tells the middleware not to set the header:: from django.http import HttpResponse from django.views.decorators.clickjacking import xframe_options_exempt + @xframe_options_exempt def ok_to_load_in_a_frame(request): return HttpResponse("This page is safe to load in a frame on any site.") @@ -99,10 +100,12 @@ decorators:: from django.views.decorators.clickjacking import xframe_options_deny from django.views.decorators.clickjacking import xframe_options_sameorigin + @xframe_options_deny def view_one(request): return HttpResponse("I won't display in any frame!") + @xframe_options_sameorigin def view_two(request): return HttpResponse("Display in a frame if it's from the same origin as me.") |