The standard X-Frame-Options middleware and the opt-out view decorator xframe_options_exempt are not aware of frame-ancestor value in our CSP.
Solution here: remove frame-ancestor from our standard nginx provided CSP and now set it by default in Django when the X-Frame-Options header is sent (ie when the response is not exempt).
The standard
X-Frame-Optionsmiddleware and the opt-out view decoratorxframe_options_exemptare not aware offrame-ancestorvalue in our CSP.Solution here: remove
frame-ancestorfrom our standard nginx provided CSP and now set it by default in Django when theX-Frame-Optionsheader is sent (ie when the response is not exempt).