Refs #31949 -- Made @xframe_options_(deny/sameorigin/exempt) decorators to work with async functions.

AUTHORS

@@ -137,6 +137,7 @@ answer newbie questions, and generally made Django that much better:
     Ben Godfrey <http://aftnn.org>
     Benjamin Wohlwend <piquadrat@gmail.com>
     Ben Khoo <khoobks@westnet.com.au>
+    Ben Lomax <lomax.on.the.run@gmail.com>
     Ben Slavin <benjamin.slavin@gmail.com>
     Ben Sturmfels <ben@sturm.com.au>
     Berker Peksag <berker.peksag@gmail.com>

django/views/decorators/clickjacking.py

@@ -1,5 +1,7 @@
 from functools import wraps
 
+from asgiref.sync import iscoroutinefunction
+
 
 def xframe_options_deny(view_func):
     """
@@ -12,14 +14,23 @@ def xframe_options_deny(view_func):
         ...
     """
 
-    @wraps(view_func)
-    def wrapper_view(*args, **kwargs):
-        resp = view_func(*args, **kwargs)
-        if resp.get("X-Frame-Options") is None:
-            resp["X-Frame-Options"] = "DENY"
-        return resp
+    if iscoroutinefunction(view_func):
 
-    return wrapper_view
+        async def _view_wrapper(*args, **kwargs):
+            response = await view_func(*args, **kwargs)
+            if response.get("X-Frame-Options") is None:
+                response["X-Frame-Options"] = "DENY"
+            return response
+
+    else:
+
+        def _view_wrapper(*args, **kwargs):
+            response = view_func(*args, **kwargs)
+            if response.get("X-Frame-Options") is None:
+                response["X-Frame-Options"] = "DENY"
+            return response
+
+    return wraps(view_func)(_view_wrapper)
 
 
 def xframe_options_sameorigin(view_func):
@@ -33,14 +44,23 @@ def xframe_options_sameorigin(view_func):
         ...
     """
 
-    @wraps(view_func)
-    def wrapper_view(*args, **kwargs):
-        resp = view_func(*args, **kwargs)
-        if resp.get("X-Frame-Options") is None:
-            resp["X-Frame-Options"] = "SAMEORIGIN"
-        return resp
+    if iscoroutinefunction(view_func):
 
-    return wrapper_view
+        async def _view_wrapper(*args, **kwargs):
+            response = await view_func(*args, **kwargs)
+            if response.get("X-Frame-Options") is None:
+                response["X-Frame-Options"] = "SAMEORIGIN"
+            return response
+
+    else:
+
+        def _view_wrapper(*args, **kwargs):
+            response = view_func(*args, **kwargs)
+            if response.get("X-Frame-Options") is None:
+                response["X-Frame-Options"] = "SAMEORIGIN"
+            return response
+
+    return wraps(view_func)(_view_wrapper)
 
 
 def xframe_options_exempt(view_func):
@@ -53,10 +73,18 @@ def xframe_options_exempt(view_func):
         ...
     """
 
-    @wraps(view_func)
-    def wrapper_view(*args, **kwargs):
-        resp = view_func(*args, **kwargs)
-        resp.xframe_options_exempt = True
-        return resp
+    if iscoroutinefunction(view_func):
 
-    return wrapper_view
+        async def _view_wrapper(*args, **kwargs):
+            response = await view_func(*args, **kwargs)
+            response.xframe_options_exempt = True
+            return response
+
+    else:
+
+        def _view_wrapper(*args, **kwargs):
+            response = view_func(*args, **kwargs)
+            response.xframe_options_exempt = True
+            return response
+
+    return wraps(view_func)(_view_wrapper)

docs/ref/clickjacking.txt

@@ -90,6 +90,11 @@ that tells the middleware not to set the header::
     iframe, you may need to modify the :setting:`CSRF_COOKIE_SAMESITE` or
     :setting:`SESSION_COOKIE_SAMESITE` settings.
 
+.. versionchanged:: 5.0
+
+    Support for wrapping asynchronous view functions was added to the
+    ``@xframe_options_exempt`` decorator.
+
 Setting ``X-Frame-Options`` per view
 ------------------------------------
 
@@ -113,6 +118,11 @@ decorators::
 Note that you can use the decorators in conjunction with the middleware. Use of
 a decorator overrides the middleware.
 
+.. versionchanged:: 5.0
+
+    Support for wrapping asynchronous view functions was added to the
+    ``@xframe_options_deny`` and ``@xframe_options_sameorigin`` decorators.
+
 Limitations
 ===========
 

docs/releases/5.0.txt

@@ -233,9 +233,13 @@ CSRF
 Decorators
 ~~~~~~~~~~
 
-* The :func:`~django.views.decorators.cache.cache_control` and
-  :func:`~django.views.decorators.cache.never_cache` decorators now support
-  wrapping asynchronous view functions.
+* The following decorators now support wrapping asynchronous view functions:
+
+  * :func:`~django.views.decorators.cache.cache_control`
+  * :func:`~django.views.decorators.cache.never_cache`
+  * ``xframe_options_deny()``
+  * ``xframe_options_sameorigin()``
+  * ``xframe_options_exempt()``
 
 Email
 ~~~~~

docs/topics/async.txt

@@ -83,6 +83,9 @@ view functions:
 
 * :func:`~django.views.decorators.cache.cache_control`
 * :func:`~django.views.decorators.cache.never_cache`
+* ``xframe_options_deny()``
+* ``xframe_options_sameorigin()``
+* ``xframe_options_exempt()``
 
 For example::
 

tests/decorators/test_clickjacking.py

@@ -1,3 +1,5 @@
+from asgiref.sync import iscoroutinefunction
+
 from django.http import HttpRequest, HttpResponse
 from django.middleware.clickjacking import XFrameOptionsMiddleware
 from django.test import SimpleTestCase
@@ -9,6 +11,20 @@ from django.views.decorators.clickjacking import (
 
 
 class XFrameOptionsDenyTests(SimpleTestCase):
+    def test_wrapped_sync_function_is_not_coroutine_function(self):
+        def sync_view(request):
+            return HttpResponse()
+
+        wrapped_view = xframe_options_deny(sync_view)
+        self.assertIs(iscoroutinefunction(wrapped_view), False)
+
+    def test_wrapped_async_function_is_coroutine_function(self):
+        async def async_view(request):
+            return HttpResponse()
+
+        wrapped_view = xframe_options_deny(async_view)
+        self.assertIs(iscoroutinefunction(wrapped_view), True)
+
     def test_decorator_sets_x_frame_options_to_deny(self):
         @xframe_options_deny
         def a_view(request):
@@ -17,8 +33,30 @@ class XFrameOptionsDenyTests(SimpleTestCase):
         response = a_view(HttpRequest())
         self.assertEqual(response.headers["X-Frame-Options"], "DENY")
 
+    async def test_decorator_sets_x_frame_options_to_deny_async_view(self):
+        @xframe_options_deny
+        async def an_async_view(request):
+            return HttpResponse()
+
+        response = await an_async_view(HttpRequest())
+        self.assertEqual(response.headers["X-Frame-Options"], "DENY")
+
 
 class XFrameOptionsSameoriginTests(SimpleTestCase):
+    def test_wrapped_sync_function_is_not_coroutine_function(self):
+        def sync_view(request):
+            return HttpResponse()
+
+        wrapped_view = xframe_options_sameorigin(sync_view)
+        self.assertIs(iscoroutinefunction(wrapped_view), False)
+
+    def test_wrapped_async_function_is_coroutine_function(self):
+        async def async_view(request):
+            return HttpResponse()
+
+        wrapped_view = xframe_options_sameorigin(async_view)
+        self.assertIs(iscoroutinefunction(wrapped_view), True)
+
     def test_decorator_sets_x_frame_options_to_sameorigin(self):
         @xframe_options_sameorigin
         def a_view(request):
@@ -27,8 +65,30 @@ class XFrameOptionsSameoriginTests(SimpleTestCase):
         response = a_view(HttpRequest())
         self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
 
+    async def test_decorator_sets_x_frame_options_to_sameorigin_async_view(self):
+        @xframe_options_sameorigin
+        async def an_async_view(request):
+            return HttpResponse()
+
+        response = await an_async_view(HttpRequest())
+        self.assertEqual(response.headers["X-Frame-Options"], "SAMEORIGIN")
+
 
 class XFrameOptionsExemptTests(SimpleTestCase):
+    def test_wrapped_sync_function_is_not_coroutine_function(self):
+        def sync_view(request):
+            return HttpResponse()
+
+        wrapped_view = xframe_options_exempt(sync_view)
+        self.assertIs(iscoroutinefunction(wrapped_view), False)
+
+    def test_wrapped_async_function_is_coroutine_function(self):
+        async def async_view(request):
+            return HttpResponse()
+
+        wrapped_view = xframe_options_exempt(async_view)
+        self.assertIs(iscoroutinefunction(wrapped_view), True)
+
     def test_decorator_stops_x_frame_options_being_set(self):
         """
         @xframe_options_exempt instructs the XFrameOptionsMiddleware to NOT set
@@ -48,3 +108,18 @@ class XFrameOptionsExemptTests(SimpleTestCase):
         # middleware's functionality.
         middleware_response = XFrameOptionsMiddleware(a_view)(request)
         self.assertIsNone(middleware_response.get("X-Frame-Options"))
+
+    async def test_exempt_decorator_async_view(self):
+        @xframe_options_exempt
+        async def an_async_view(request):
+            return HttpResponse()
+
+        request = HttpRequest()
+        response = await an_async_view(request)
+        self.assertIsNone(response.get("X-Frame-Options"))
+        self.assertIs(response.xframe_options_exempt, True)
+
+        # The real purpose of the exempt decorator is to suppress the
+        # middleware's functionality.
+        middleware_response = await XFrameOptionsMiddleware(an_async_view)(request)
+        self.assertIsNone(middleware_response.get("X-Frame-Options"))