From f0ba799edf4f9948da28b5df2000a092ad6a150d Mon Sep 17 00:00:00 2001 From: Clemens Wolff Date: Fri, 29 Apr 2022 15:17:27 -0400 Subject: [PATCH] Refs #30426 -- Updated XFrameOptionsMiddleware docstring. Follow up to 05d0eca635853564c57e639ac5590674a7de2ed6. --- django/middleware/clickjacking.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/django/middleware/clickjacking.py b/django/middleware/clickjacking.py index 072f4148a2..f0c99710e6 100644 --- a/django/middleware/clickjacking.py +++ b/django/middleware/clickjacking.py @@ -16,10 +16,10 @@ class XFrameOptionsMiddleware(MiddlewareMixin): Do not set the header if it's already set or if the response contains a xframe_options_exempt value set to True. - By default, set the X-Frame-Options header to 'SAMEORIGIN', meaning the - response can only be loaded on a frame within the same site. To prevent the - response from being loaded in a frame in any site, set X_FRAME_OPTIONS in - your project's Django settings to 'DENY'. + By default, set the X-Frame-Options header to 'DENY', meaning the response + cannot be displayed in a frame, regardless of the site attempting to do so. + To enable the response to be loaded on a frame within the same site, set + X_FRAME_OPTIONS in your project's Django settings to 'SAMEORIGIN'. """ def process_response(self, request, response):