Currently to make Django projects embeddable within an LMS, we need to disable the django.middleware.clickjacking.XFrameOptionsMiddleware middleware. This eliminates a barrier, but opens the site up to potential clickjacking attacks. The more flexible and recommended way of handling these security restrictions is to use Content-Security-Policy headers, with frame-ancestors listing allowable domains. It might be a good idea to have some functionality built into our library to automatically generate the list of allowable domains with the set of active platforms or registrations.
Currently to make Django projects embeddable within an LMS, we need to disable the
django.middleware.clickjacking.XFrameOptionsMiddlewaremiddleware. This eliminates a barrier, but opens the site up to potential clickjacking attacks. The more flexible and recommended way of handling these security restrictions is to useContent-Security-Policyheaders, withframe-ancestorslisting allowable domains. It might be a good idea to have some functionality built into our library to automatically generate the list of allowable domains with the set of active platforms or registrations.