Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.

This commit is contained in:
Claude Paroz 2019-09-07 09:52:10 +02:00 committed by Mariusz Felisiak
parent 5495ea3ae0
commit 05d0eca635
9 changed files with 32 additions and 16 deletions

View File

@ -415,7 +415,7 @@ DEFAULT_TABLESPACE = ''
DEFAULT_INDEX_TABLESPACE = '' DEFAULT_INDEX_TABLESPACE = ''
# Default X-Frame-Options header value # Default X-Frame-Options header value
X_FRAME_OPTIONS = 'SAMEORIGIN' X_FRAME_OPTIONS = 'DENY'
USE_X_FORWARDED_HOST = False USE_X_FORWARDED_HOST = False
USE_X_FORWARDED_PORT = False USE_X_FORWARDED_PORT = False

View File

@ -80,9 +80,8 @@ W019 = Warning(
"You have " "You have "
"'django.middleware.clickjacking.XFrameOptionsMiddleware' in your " "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
"MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. " "MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "
"The default is 'SAMEORIGIN', but unless there is a good reason for " "Unless there is a good reason for your site to serve other parts of "
"your site to serve other parts of itself in a frame, you should " "itself in a frame, you should change it to 'DENY'.",
"change it to 'DENY'.",
id='security.W019', id='security.W019',
) )

View File

@ -37,9 +37,9 @@ class XFrameOptionsMiddleware(MiddlewareMixin):
def get_xframe_options_value(self, request, response): def get_xframe_options_value(self, request, response):
""" """
Get the value to set for the X_FRAME_OPTIONS header. Use the value from Get the value to set for the X_FRAME_OPTIONS header. Use the value from
the X_FRAME_OPTIONS setting, or 'SAMEORIGIN' if not set. the X_FRAME_OPTIONS setting, or 'DENY' if not set.
This method can be overridden if needed, allowing it to vary based on This method can be overridden if needed, allowing it to vary based on
the request or response. the request or response.
""" """
return getattr(settings, 'X_FRAME_OPTIONS', 'SAMEORIGIN').upper() return getattr(settings, 'X_FRAME_OPTIONS', 'DENY').upper()

View File

@ -420,9 +420,8 @@ The following checks are run if you use the :option:`check --deploy` option:
* **security.W019**: You have * **security.W019**: You have
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your :class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
:setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to :setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason ``'DENY'``. Unless there is a good reason for your site to serve other parts
for your site to serve other parts of itself in a frame, you should change of itself in a frame, you should change it to ``'DENY'``.
it to ``'DENY'``.
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment. * **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
* **security.W021**: You have not set the * **security.W021**: You have not set the
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site :setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site

View File

@ -67,10 +67,15 @@ This middleware is enabled in the settings file generated by
:djadmin:`startproject`. :djadmin:`startproject`.
By default, the middleware will set the ``X-Frame-Options`` header to By default, the middleware will set the ``X-Frame-Options`` header to
``SAMEORIGIN`` for every outgoing ``HttpResponse``. If you want ``DENY`` ``DENY`` for every outgoing ``HttpResponse``. If you want any other value for
instead, set the :setting:`X_FRAME_OPTIONS` setting:: this header instead, set the :setting:`X_FRAME_OPTIONS` setting::
X_FRAME_OPTIONS = 'DENY' X_FRAME_OPTIONS = 'SAMEORIGIN'
.. versionchanged:: 3.0
The default value of the :setting:`X_FRAME_OPTIONS` setting was changed
from ``SAMEORIGIN`` to ``DENY``.
When using the middleware there may be some views where you do **not** want the When using the middleware there may be some views where you do **not** want the
``X-Frame-Options`` header set. For those cases, you can use a view decorator ``X-Frame-Options`` header set. For those cases, you can use a view decorator
@ -116,6 +121,7 @@ Browsers that support ``X-Frame-Options``
----------------------------------------- -----------------------------------------
* Internet Explorer 8+ * Internet Explorer 8+
* Edge
* Firefox 3.6.9+ * Firefox 3.6.9+
* Opera 10.5+ * Opera 10.5+
* Safari 4+ * Safari 4+

View File

@ -2795,12 +2795,15 @@ and :setting:`MONTH_DAY_FORMAT`.
``X_FRAME_OPTIONS`` ``X_FRAME_OPTIONS``
------------------- -------------------
Default: ``'SAMEORIGIN'`` Default: ``'DENY'``
The default value for the X-Frame-Options header used by The default value for the X-Frame-Options header used by
:class:`~django.middleware.clickjacking.XFrameOptionsMiddleware`. See the :class:`~django.middleware.clickjacking.XFrameOptionsMiddleware`. See the
:doc:`clickjacking protection </ref/clickjacking/>` documentation. :doc:`clickjacking protection </ref/clickjacking/>` documentation.
.. versionchanged:: 3.0
In older versions, the default value is ``SAMEORIGIN``.
Auth Auth
==== ====

View File

@ -535,6 +535,15 @@ upload handler is used.
``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this ``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
inconsistency. inconsistency.
New default value for the ``X_FRAME_OPTIONS`` setting
-----------------------------------------------------
In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to
``'SAMEORIGIN'``. To make Django projects more secure by default,
:setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. If your site uses frames
of itself, you will need to explicitly set ``X_FRAME_ORIGINS = 'SAMEORIGIN'``
for them to continue working.
Miscellaneous Miscellaneous
------------- -------------

View File

@ -621,12 +621,12 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
def test_defaults_sameorigin(self): def test_defaults_sameorigin(self):
""" """
If the X_FRAME_OPTIONS setting is not set then it defaults to If the X_FRAME_OPTIONS setting is not set then it defaults to
SAMEORIGIN. DENY.
""" """
with override_settings(X_FRAME_OPTIONS=None): with override_settings(X_FRAME_OPTIONS=None):
del settings.X_FRAME_OPTIONS # restored by override_settings del settings.X_FRAME_OPTIONS # restored by override_settings
r = XFrameOptionsMiddleware().process_response(HttpRequest(), HttpResponse()) r = XFrameOptionsMiddleware().process_response(HttpRequest(), HttpResponse())
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN') self.assertEqual(r['X-Frame-Options'], 'DENY')
def test_dont_set_if_set(self): def test_dont_set_if_set(self):
""" """

View File

@ -39,5 +39,5 @@ class TestStartProjectSettings(SimpleTestCase):
b'Content-Length: 0', b'Content-Length: 0',
b'Content-Type: text/html; charset=utf-8', b'Content-Type: text/html; charset=utf-8',
b'X-Content-Type-Options: nosniff', b'X-Content-Type-Options: nosniff',
b'X-Frame-Options: SAMEORIGIN', b'X-Frame-Options: DENY',
]) ])