问题
I'm using Django XFrameOptionsMiddleware to control clickjacking, but I have a customer that needs to be able to browse the app in an iframe from within their network. I want to be able to apply (or remove) the xframe_options_exempt decorator from within the view method.
回答1:
Best approach is to override get_xframe_options_value. XFRAME_EXEMPT_IPS is a glob_list in my case to detect allowable networks using fnmatch (192.168.*).
class TFXFrameOptionsMiddleware(XFrameOptionsMiddleware):
def get_xframe_options_value(self, request, response):
if request.META['REMOTE_ADDR'] in settings.XFRAME_EXEMPT_IPS:
return 'ALLOWALL' # non standard, equivalent to omitting
return getattr(settings, 'X_FRAME_OPTIONS', 'SAMEORIGIN').upper()
来源:https://stackoverflow.com/questions/25773005/django-xframeoptionsmiddleware-x-frame-options-allow-iframe-by-client-ip