Added decorator for X-Frame header

2026-01-17 05:22:16 +00:00 · 2016-10-07 02:51:08 +01:00
parent 7e379b33db
commit 8a838aa4bd
2 changed files with 14 additions and 3 deletions
--- a/PyRIGS/decorators.py
+++ b/PyRIGS/decorators.py
@@ -4,6 +4,17 @@ from django.template import RequestContext
 from django.http import HttpResponseRedirect
 from django.core.urlresolvers import reverse

+def allow_embed():
+    # using django.views.decorators.clickjacking.xframe_options_exempt removes the header
+    # Safari has differnet defaults to other browsers, so we have to set it explicitly
+    def headers_wrapper(fun):
+        def wrapped_function(*args, **kwargs):
+            response = fun(*args, **kwargs)
+            response['X-Frame-Options'] = "ALLOW"
+            return response
+        return wrapped_function
+    return headers_wrapper
+
 def user_passes_test_with_403(test_func, login_url=None, oembed_view=None):
    """
    Decorator for views that checks that the user passes the given test.
--- a/RIGS/urls.py
+++ b/RIGS/urls.py
@@ -2,10 +2,10 @@ from django.conf.urls import patterns, include, url
 from django.contrib.auth.decorators import login_required
 from RIGS import models, views, rigboard, finance, ical, versioning, forms
 from django.views.generic import RedirectView
-from django.views.decorators.clickjacking import xframe_options_exempt

 from PyRIGS.decorators import permission_required_with_403
 from PyRIGS.decorators import api_key_required
+from PyRIGS.decorators import allow_embed

 urlpatterns = patterns('',
                       # Examples:
@@ -15,7 +15,7 @@ urlpatterns = patterns('',
                       url(r'^closemodal/$', views.CloseModal.as_view(), name='closemodal'),

                       url('^user/login/$', 'RIGS.views.login', name='login'),
-                       url('^user/login/embed/$', xframe_options_exempt(views.login_embed), name='login_embed'),
+                       url('^user/login/embed/$', allow_embed()(views.login_embed), name='login_embed'),
                       url(r'^user/password_reset/$', 'django.contrib.auth.views.password_reset', {'password_reset_form':forms.PasswordReset}),

                       # People
@@ -85,7 +85,7 @@ urlpatterns = patterns('',
                           permission_required_with_403('RIGS.view_event', oembed_view="event_oembed")(rigboard.EventDetail.as_view()),
                           name='event_detail'),
                       url(r'^event/(?P<pk>\d+)/embed/$',
-                           xframe_options_exempt(permission_required_with_403('RIGS.view_event', login_url='/user/login/embed/')(rigboard.EventEmbed.as_view())),
+                           allow_embed()(permission_required_with_403('RIGS.view_event', login_url='/user/login/embed/')(rigboard.EventEmbed.as_view())),
                           name='event_embed'),
                       url(r'^event/(?P<pk>\d+)/oembed_json/$',
                           rigboard.EventOembed.as_view(),