diff options
| author | Anton Samarchyan <anton.samarchyan@savoirfairelinux.com> | 2017-01-24 15:37:33 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-03-04 10:02:06 -0500 |
| commit | 86de930f413e0ad902e11d78ac988e6743202ea6 (patch) | |
| tree | 790dcc4c38125b619ffee76b5531155d0d8232f4 /django/middleware/clickjacking.py | |
| parent | 6ae1b04fb584db0fdb22b8e287784c4ed3ac62ac (diff) | |
Refs #27656 -- Updated remaining docstring verbs according to PEP 257.
Diffstat (limited to 'django/middleware/clickjacking.py')
| -rw-r--r-- | django/middleware/clickjacking.py | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/django/middleware/clickjacking.py b/django/middleware/clickjacking.py index 8659646c61..a0506142b9 100644 --- a/django/middleware/clickjacking.py +++ b/django/middleware/clickjacking.py @@ -11,21 +11,15 @@ from django.utils.deprecation import MiddlewareMixin class XFrameOptionsMiddleware(MiddlewareMixin): """ - Middleware that sets the X-Frame-Options HTTP header in HTTP responses. + Set the X-Frame-Options HTTP header in HTTP responses. - Does not set the header if it's already set or if the response contains + Do not set the header if it's already set or if the response contains a xframe_options_exempt value set to True. - By default, sets the X-Frame-Options header to 'SAMEORIGIN', meaning the + By default, set the X-Frame-Options header to 'SAMEORIGIN', meaning the response can only be loaded on a frame within the same site. To prevent the response from being loaded in a frame in any site, set X_FRAME_OPTIONS in your project's Django settings to 'DENY'. - - Note: older browsers will quietly ignore this header, thus other - clickjacking protection techniques should be used if protection in those - browsers is required. - - https://en.wikipedia.org/wiki/Clickjacking#Server_and_client """ def process_response(self, request, response): # Don't set it if it's already in the response @@ -42,10 +36,8 @@ class XFrameOptionsMiddleware(MiddlewareMixin): def get_xframe_options_value(self, request, response): """ - Gets the value to set for the X_FRAME_OPTIONS header. - - By default this uses the value from the X_FRAME_OPTIONS Django - settings. If not found in settings, defaults to 'SAMEORIGIN'. + Get the value to set for the X_FRAME_OPTIONS header. Use the value from + the X_FRAME_OPTIONS setting, or 'SAMEORIGIN' if not set. This method can be overridden if needed, allowing it to vary based on the request or response. |