I need to fully load my website inside an iframe, so I deleted clickjacking middleware but after that, I got 403 code status and CSRF exception, how I can fix this to allow load my website inside iframe?
You don't need to fully disable the middleware, you can disable it for a specific view using #xframe_options_exempt.
See: https://docs.djangoproject.com/en/3.2/ref/clickjacking/
Related
I keep getting 403 errors when I try to do a post request in Django. I disabled django.middleware.csrf.CsrfViewMiddleware and i still have this line
url(r"viewing_room_capture", csrf_exempt(EmailCapture.as_view()), name="email_capture_endpoint",)
Why am I getting a 403? It doesn't even look like my view executes, the request short-circuits before the view runs.
And yes I do want to disable the csrf protection on my forms. I seem to remember this working a week ago but I've since rebuilt my local environment from scratch (docker-compose app) and it no longer works. I had 5 working API endpoints before this and now none of them work, I haven't touched this app in 1.5 weeks before coming back to it today and finding everything broken. In fact, I have a development deployment using the same application code running right now in the cloud and I'm not getting 403 errors on my API endpoints (i checked the commit history already, nothing that could have caused this was added since my last deploy). My middleware is:
MIDDLEWARE = [
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.locale.LocaleMiddleware",
"app.site_translation.middleware.TranslationMiddleware",
"django.middleware.common.CommonMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"django.middleware.security.SecurityMiddleware",
"app.base.middleware.AdditionalSecurityHeadersMiddleware",
"app.base.middleware.CookieMiddleware",
"app.base.middleware.DomainRedirectMiddleware",
"app.base.middleware.CustomRedirectMiddleware",
"app.base.middleware.LegacyURLsMiddleware",
# Can be used instead if wagtail#4491 is merged:
# 'wagtail.contrib.redirects.middleware.RedirectMiddleware',
"debug_toolbar.middleware.DebugToolbarMiddleware",
]
Figured it out, it had to do with signing into the application. I can't do a post request without csrf if i'm logged in already.
I have a Python Django app running on https://dj-node-project.herokuapp.com/catalog/, when I put this into an iframe, I'm seeing a blank page. Do I need to enable "iframe" settings on Heroku?
<iframe src="https://dj-node-project.herokuapp.com/catalog/">
<p>Your browser does not support iframes.</p>
</iframe>
you can remove middleware as mentioned below
and you can also use decorator
from django.views.decorators.clickjacking import xframe_options_exempt
#xframe_options_exempt
def ok_to_load_in_a_frame(request):
Django not allow to use django website as Iframe tag. because django have middleware
'django.middleware.clickjacking.XFrameOptionsMiddleware',
that not allowed to load django site to another website using iframe tag. it check SAMEORIGIN when page loaded.
you have
Read full about this topic https://docs.djangoproject.com/en/1.11/ref/clickjacking/
I have a new Django app with REST endpoints and static html page that triggers XMLHttpRequest REST queries. POSTs fail with "CSRF cookie not set.".
If I open a client debugger, document.cooke returns "". AFAIK, this should have "csrftoken".
In settings.py, MIDDLEWARE_CLASSES contains 'django.middleware.csrf.CsrfViewMiddleware' by default. Any idea what might be wrong?
Add ensure_csrf_cookie decorator to your view.
https://docs.djangoproject.com/en/1.9/ref/csrf/#django.views.decorators.csrf.ensure_csrf_cookie
If that doesn't help you might want to read these docs
https://docs.djangoproject.com/en/1.9/ref/csrf/#ajax
I am working on a project that uses Django and Angular. I do not have a background as a web developer so please try to explain your answer so that a novice person can understand it.
Basically I want to make it so that the login page is the default page instead of the index page.
I currently have the following url handler in my main Django project urls.py:
url(r'^$', 'core.views.generic.index')
I also have another urls.py in an app called core that sends visitors to the login page:
url(r'^/login$', private.MeLogin.as_view())
Now I want the login page to become the default page instead if the index page. How can I do that?
I have tried adding the following the the views file in the core app:
#login_required(redirect_field_name='', login_url='#/login')
def index(request):
return render_to_response('html/index.html', locals(), context_instance=RequestContext(request))
Unfortunately I get the message
This webpage has a redirect loop
I do not know how to solve this problem. Basically I want users to be redirected to the login page if they enter any URL that is not handled by other URL handlers. When they successfully log in they are redirected to a dashboard page automatically.
EDIT:
The login page URL is handled in the core urls.py file and points to a different view than index.
url(r'^/login$', private.MeLogin.as_view())
Web servers, in this case Django, do not see the fragment after the #. You are redirecting from / to /, creating a redirect loop.
If you want to redirect to the Django login url, you need login_url='/login'.
As an aside, you should remove the leading slash from your regex r'^/login$.
In #login_required(redirect_field_name='', login_url='#/login')
remove redirect_field_name='', it really is not neccessary and make sure that #/login in login_url='#/login is the same as in your url.py file:
like
views.py
#login_required(redirect_field_name='', login_url='accounts/login/')
as
url.py
url(r'^accounts/login/', auth_views.login),
I assume your Angular & Django apps are running in two seperate ports, like:
Django on port 8000
Angular on port 1000
So if you give /#/login it will redirect for the same with Django port (8000/#/login).
So why don't you give the full URL www.example.com/#/login?
I want to build a server side base for analytics using Python/Django. The script should catch requested urls and update the database before routing the url requested using urls.py. How can this be done??
To do such things you should use middleware. Copying from the documentation:
Middleware is a framework of hooks into Django’s request/response processing. It’s a light, low-level “plugin” system for globally altering Django’s input or output.
A middleware is a simple class that can define a number of methods. You'd need to define the process_request or process_view method and there do your database updates etc
Try using a middleware:
class MyTrackingMiddleware(object):
def process_request(self, request):
# save your request path here
return None
And add it MIDDLEWARE_CLASSES in settings.py