Django XFrameOptionsMiddleware (X-Frame-Options) - allow iframe by client IP

Question

I'm using Django XFrameOptionsMiddleware to control clickjacking, but I have a customer that needs to be able to browse the app in an iframe from within their network. I want to be able to apply (or remove) the xframe_options_exempt decorator from within the view method.

Answer 1

Best approach is to override get_xframe_options_value. XFRAME_EXEMPT_IPS is a glob_list in my case to detect allowable networks using fnmatch (192.168.*).

class TFXFrameOptionsMiddleware(XFrameOptionsMiddleware):
    def get_xframe_options_value(self, request, response):
        if request.META['REMOTE_ADDR'] in settings.XFRAME_EXEMPT_IPS:
            return 'ALLOWALL' # non standard, equivalent to omitting
        return getattr(settings, 'X_FRAME_OPTIONS', 'SAMEORIGIN').upper()