Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.
This commit is contained in:
parent
5495ea3ae0
commit
05d0eca635
|
@ -415,7 +415,7 @@ DEFAULT_TABLESPACE = ''
|
||||||
DEFAULT_INDEX_TABLESPACE = ''
|
DEFAULT_INDEX_TABLESPACE = ''
|
||||||
|
|
||||||
# Default X-Frame-Options header value
|
# Default X-Frame-Options header value
|
||||||
X_FRAME_OPTIONS = 'SAMEORIGIN'
|
X_FRAME_OPTIONS = 'DENY'
|
||||||
|
|
||||||
USE_X_FORWARDED_HOST = False
|
USE_X_FORWARDED_HOST = False
|
||||||
USE_X_FORWARDED_PORT = False
|
USE_X_FORWARDED_PORT = False
|
||||||
|
|
|
@ -80,9 +80,8 @@ W019 = Warning(
|
||||||
"You have "
|
"You have "
|
||||||
"'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
|
"'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
|
||||||
"MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "
|
"MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "
|
||||||
"The default is 'SAMEORIGIN', but unless there is a good reason for "
|
"Unless there is a good reason for your site to serve other parts of "
|
||||||
"your site to serve other parts of itself in a frame, you should "
|
"itself in a frame, you should change it to 'DENY'.",
|
||||||
"change it to 'DENY'.",
|
|
||||||
id='security.W019',
|
id='security.W019',
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -37,9 +37,9 @@ class XFrameOptionsMiddleware(MiddlewareMixin):
|
||||||
def get_xframe_options_value(self, request, response):
|
def get_xframe_options_value(self, request, response):
|
||||||
"""
|
"""
|
||||||
Get the value to set for the X_FRAME_OPTIONS header. Use the value from
|
Get the value to set for the X_FRAME_OPTIONS header. Use the value from
|
||||||
the X_FRAME_OPTIONS setting, or 'SAMEORIGIN' if not set.
|
the X_FRAME_OPTIONS setting, or 'DENY' if not set.
|
||||||
|
|
||||||
This method can be overridden if needed, allowing it to vary based on
|
This method can be overridden if needed, allowing it to vary based on
|
||||||
the request or response.
|
the request or response.
|
||||||
"""
|
"""
|
||||||
return getattr(settings, 'X_FRAME_OPTIONS', 'SAMEORIGIN').upper()
|
return getattr(settings, 'X_FRAME_OPTIONS', 'DENY').upper()
|
||||||
|
|
|
@ -420,9 +420,8 @@ The following checks are run if you use the :option:`check --deploy` option:
|
||||||
* **security.W019**: You have
|
* **security.W019**: You have
|
||||||
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
|
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
|
||||||
:setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
|
:setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
|
||||||
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
|
``'DENY'``. Unless there is a good reason for your site to serve other parts
|
||||||
for your site to serve other parts of itself in a frame, you should change
|
of itself in a frame, you should change it to ``'DENY'``.
|
||||||
it to ``'DENY'``.
|
|
||||||
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
|
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
|
||||||
* **security.W021**: You have not set the
|
* **security.W021**: You have not set the
|
||||||
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site
|
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site
|
||||||
|
|
|
@ -67,10 +67,15 @@ This middleware is enabled in the settings file generated by
|
||||||
:djadmin:`startproject`.
|
:djadmin:`startproject`.
|
||||||
|
|
||||||
By default, the middleware will set the ``X-Frame-Options`` header to
|
By default, the middleware will set the ``X-Frame-Options`` header to
|
||||||
``SAMEORIGIN`` for every outgoing ``HttpResponse``. If you want ``DENY``
|
``DENY`` for every outgoing ``HttpResponse``. If you want any other value for
|
||||||
instead, set the :setting:`X_FRAME_OPTIONS` setting::
|
this header instead, set the :setting:`X_FRAME_OPTIONS` setting::
|
||||||
|
|
||||||
X_FRAME_OPTIONS = 'DENY'
|
X_FRAME_OPTIONS = 'SAMEORIGIN'
|
||||||
|
|
||||||
|
.. versionchanged:: 3.0
|
||||||
|
|
||||||
|
The default value of the :setting:`X_FRAME_OPTIONS` setting was changed
|
||||||
|
from ``SAMEORIGIN`` to ``DENY``.
|
||||||
|
|
||||||
When using the middleware there may be some views where you do **not** want the
|
When using the middleware there may be some views where you do **not** want the
|
||||||
``X-Frame-Options`` header set. For those cases, you can use a view decorator
|
``X-Frame-Options`` header set. For those cases, you can use a view decorator
|
||||||
|
@ -116,6 +121,7 @@ Browsers that support ``X-Frame-Options``
|
||||||
-----------------------------------------
|
-----------------------------------------
|
||||||
|
|
||||||
* Internet Explorer 8+
|
* Internet Explorer 8+
|
||||||
|
* Edge
|
||||||
* Firefox 3.6.9+
|
* Firefox 3.6.9+
|
||||||
* Opera 10.5+
|
* Opera 10.5+
|
||||||
* Safari 4+
|
* Safari 4+
|
||||||
|
|
|
@ -2795,12 +2795,15 @@ and :setting:`MONTH_DAY_FORMAT`.
|
||||||
``X_FRAME_OPTIONS``
|
``X_FRAME_OPTIONS``
|
||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
Default: ``'SAMEORIGIN'``
|
Default: ``'DENY'``
|
||||||
|
|
||||||
The default value for the X-Frame-Options header used by
|
The default value for the X-Frame-Options header used by
|
||||||
:class:`~django.middleware.clickjacking.XFrameOptionsMiddleware`. See the
|
:class:`~django.middleware.clickjacking.XFrameOptionsMiddleware`. See the
|
||||||
:doc:`clickjacking protection </ref/clickjacking/>` documentation.
|
:doc:`clickjacking protection </ref/clickjacking/>` documentation.
|
||||||
|
|
||||||
|
.. versionchanged:: 3.0
|
||||||
|
|
||||||
|
In older versions, the default value is ``SAMEORIGIN``.
|
||||||
|
|
||||||
Auth
|
Auth
|
||||||
====
|
====
|
||||||
|
|
|
@ -535,6 +535,15 @@ upload handler is used.
|
||||||
``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
|
``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
|
||||||
inconsistency.
|
inconsistency.
|
||||||
|
|
||||||
|
New default value for the ``X_FRAME_OPTIONS`` setting
|
||||||
|
-----------------------------------------------------
|
||||||
|
|
||||||
|
In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to
|
||||||
|
``'SAMEORIGIN'``. To make Django projects more secure by default,
|
||||||
|
:setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. If your site uses frames
|
||||||
|
of itself, you will need to explicitly set ``X_FRAME_ORIGINS = 'SAMEORIGIN'``
|
||||||
|
for them to continue working.
|
||||||
|
|
||||||
Miscellaneous
|
Miscellaneous
|
||||||
-------------
|
-------------
|
||||||
|
|
||||||
|
|
|
@ -621,12 +621,12 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
|
||||||
def test_defaults_sameorigin(self):
|
def test_defaults_sameorigin(self):
|
||||||
"""
|
"""
|
||||||
If the X_FRAME_OPTIONS setting is not set then it defaults to
|
If the X_FRAME_OPTIONS setting is not set then it defaults to
|
||||||
SAMEORIGIN.
|
DENY.
|
||||||
"""
|
"""
|
||||||
with override_settings(X_FRAME_OPTIONS=None):
|
with override_settings(X_FRAME_OPTIONS=None):
|
||||||
del settings.X_FRAME_OPTIONS # restored by override_settings
|
del settings.X_FRAME_OPTIONS # restored by override_settings
|
||||||
r = XFrameOptionsMiddleware().process_response(HttpRequest(), HttpResponse())
|
r = XFrameOptionsMiddleware().process_response(HttpRequest(), HttpResponse())
|
||||||
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
|
self.assertEqual(r['X-Frame-Options'], 'DENY')
|
||||||
|
|
||||||
def test_dont_set_if_set(self):
|
def test_dont_set_if_set(self):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -39,5 +39,5 @@ class TestStartProjectSettings(SimpleTestCase):
|
||||||
b'Content-Length: 0',
|
b'Content-Length: 0',
|
||||||
b'Content-Type: text/html; charset=utf-8',
|
b'Content-Type: text/html; charset=utf-8',
|
||||||
b'X-Content-Type-Options: nosniff',
|
b'X-Content-Type-Options: nosniff',
|
||||||
b'X-Frame-Options: SAMEORIGIN',
|
b'X-Frame-Options: DENY',
|
||||||
])
|
])
|
||||||
|
|
Loading…
Reference in New Issue