The standard X-Frame-Options middleware and the opt-out view decorator xframe_options_exempt are not aware of frame-ancestor value in our CSP.
Solution here: remove frame-ancestor from our standard nginx provided CSP and now set it by default in Django when the X-Frame-Options header is sent (ie when the response is not exempt).
The standard
X-Frame-Options
middleware and the opt-out view decoratorxframe_options_exempt
are not aware offrame-ancestor
value in our CSP.Solution here: remove
frame-ancestor
from our standard nginx provided CSP and now set it by default in Django when theX-Frame-Options
header is sent (ie when the response is not exempt).