openedx-docker icon indicating copy to clipboard operation
openedx-docker copied to clipboard
verified publisher icon openfun

Set X_FRAME_OPTIONS Django setting to an allowed value

Open jmaupetit opened this issue 6 years ago • 0 comments

Expected Behavior

No JS error related to the X-Frame-Options header should occur.

Actual Behavior

The X-Frame-Options header value is set to ALLOW, which is not allowed (for reference, see https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/X-Frame-Options), leading to the following Require.js dynamic loading error:

Error: Dynamic load not allowed: common/templates/components/system-feedback.underscore base.js:83:8563

Steps to Reproduce

  1. Go to the Studio (CMS) course details view
  2. The following error message should appear in the browser console:
Invalid X-Frame-Options: “ALLOW” header from “https://cms.staging.foo.fr/settings/details/course-v1:Musicality+CS101+2019_T4” loaded into “https://cms.staging.foo.fr/course/course-v1:Musicality+CS101+2019_T4”.

Specifications

  • Version: at least dogwood.3-fun-1.3.4 (I think all releases and flavors are impacted)
  • Platform: Firefox 71 (Ubuntu GNU/Linux)

jmaupetit avatar Dec 15 '19 15:12 jmaupetit