search

fabiocaccamo / django-admin-interface

:superhero: :zap: django's default admin interface with superpowers - customizable themes, popup windows replaced by modals and many other features.
MIT License
1.83k stars 180 forks source link

Related Modal not working when Clickjacking Protection is enabled #30

Closed raratiru closed 6 years ago

raratiru commented 6 years ago

When django.middleware.clickjacking.XFrameOptionsMiddleware is used the modal is blocked and never shows up.

I had to disable the header for the admin pages in order to make it work, although the default setting is SAMEORIGIN.

By default, the middleware will set the X-Frame-Options header to SAMEORIGIN for every outgoing HttpResponse.

fabiocaccamo commented 6 years ago

I use django.middleware.clickjacking.XFrameOptionsMiddleware but I can't reproduce this issue. It's really strange because the url loaded into iframe is in the same origin...

Which versions of django and Python are you using?

raratiru commented 6 years ago

You are right ... I have a rather complicated setup and I have not tried to reproduce it in a fresh install of Django.

However, these are the versions of the applications I would consider relative:

Python 3.5.4 Django 1.11.9 django-admin-interface 0.5.9 django-admin-shortcuts 1.2.7 django-flat-responsive 2.0 django-flat-theme 1.1.4 django-tabbed-admin 1.0.3 django-apptemplates 1.4 django-decorator-include 1.3

I have also overridden the following files (using django-app-templates), (I am overriding different files from different applications, I wonder if this could be the cause of the issue):

base_site.html: 

{% extends "admin_interface:admin/base_site.html" %}
...

index.html:

{% extends "admin:admin/index.html" %}
...

I have debuged it using the Developper's Web Console of Firefox 52.5.2, where I saw the related message.

In order to deactivate jango.middleware.clickjacking.XFrameOptionsMiddleware I used django-decorator-include and added the following to my urls.conf:

from django.views.decorators.clickjacking import xframe_options_exempt
from decorator_include import decorator_include

    urlpatterns = (
        ...
        url(r'^admin/', decorator_include(xframe_options_exempt, admin.site.urls)),
        ....
    )
fabiocaccamo commented 6 years ago

Ok, could you try don't overriding the admin templates and re-activating django.middleware.clickjacking.XFrameOptionsMiddleware?

raratiru commented 6 years ago

I disabled django-admin-shortcuts, deleted the overridden files base_site.html and index.html but the issue still remains:

Load denied by X-Frame-Options: https://\<path-to-my-app>/add/?_to_field=id&_popup=1&_modal=939156 does not permit framing.

fabiocaccamo commented 6 years ago
raratiru commented 6 years ago

Whoaaa!

You are very right: nginx.conf ! 🥇

Thank you!