openedx / edx-django-utils

edX utilities for Django Application development.
https://edx.readthedocs.io/projects/edx-django-utils/en/latest/
Apache License 2.0
26 stars 20 forks source link

feat: add custom middleware for x-frame-options to allow overrides #422

Open jesperhodge opened 4 months ago

jesperhodge commented 4 months ago

Description:

The SCORM xblocks starting with openedx-scorm-xblock version 18 cannot load because they require the X-Frame-Options header to be set to SAMEORIGIN for scorm related URLs, e.g. studio.edx.org/media/scorm/........ This setting is set to DENY on edx-platform cms and lms via the setting X_FRAME_OPTIONS.

This PR extends django's XFrameOptions middleware to override the cms or lms django setting via an override setting called X_FRAME_OPTIONS_OVERRIDES = [[regex, header_value]] where regex is a regex that matches urls to override and header_value is one of DENY, SAMEORIGIN, ALLOW.

How to test:

Since this is a library, the automatic tests should suffice.

If you still want to test it with edx-platform to make sure it doesn't break anything, let me know and I can walk you through it.