Ticket #14261: clickjacking.diff

File clickjacking.diff, 3.9 KB (added by rniemeyer, 5 years ago)

XFrameOptionsMiddleware + tests

  • django/middleware/clickjacking.py

     
     1"""
     2Clickjacking Protection Middleware.
     3
     4This module provides a middleware that implements protection against a
     5malicious site loading your site in a hidden iframe.
     6"""
     7
     8from django.conf import settings
     9
     10class XFrameOptionsMiddleware(object):
     11    """
     12    Middleware that sets the X-Frame-Options HTTP header in HTTP responses.
     13   
     14    By default, sets the X-Frame-Options header to 'DENY'. To have this
     15    middleware set it to 'SAMEORIGIN' instead, set X_FRAME_OPTIONS in
     16    settings.py to 'SAMEORIGIN'.
     17
     18    Note: older browsers will quietly ignore this header, thus other
     19    clickjacking protection techniques should be used if protection in those
     20    browsers is required.
     21   
     22    http://en.wikipedia.org/wiki/Clickjacking#Server_and_client
     23    """
     24    def process_response(self, request, response):
     25        options = getattr(settings, 'X_FRAME_OPTIONS', 'DENY')
     26        response['X-FRAME-OPTIONS'] = options.upper()
     27        return response
  • tests/regressiontests/middleware/tests.py

     
    22
    33from django.test import TestCase
    44from django.http import HttpRequest
     5from django.http import HttpResponse
    56from django.middleware.common import CommonMiddleware
     7from django.middleware.clickjacking import XFrameOptionsMiddleware
    68from django.conf import settings
    7 
     9   
    810class CommonMiddlewareTest(TestCase):
    911    def setUp(self):
    1012        self.slash = settings.APPEND_SLASH
     
    246248      self.assertEquals(r.status_code, 301)
    247249      self.assertEquals(r['Location'],
    248250                        'http://www.testserver/middleware/customurlconf/slash/')
     251     
     252class XFrameOptionsMiddlewareTest(TestCase):
     253    def tearDown(self):
     254        if hasattr(settings, 'X_FRAME_OPTIONS'):
     255            delattr(settings, 'X_FRAME_OPTIONS')
     256   
     257    def test_same_origin(self):
     258        """
     259        Tests that the X_FRAME_OPTIONS setting can be set to SAMEORIGIN to
     260        have the middleware use that value for the HTTP header.
     261        """
     262        settings.X_FRAME_OPTIONS = 'SAMEORIGIN'
     263        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
     264                                                       HttpResponse())
     265        self.assertEquals(r['X-FRAME-OPTIONS'], 'SAMEORIGIN')
     266       
     267        settings.X_FRAME_OPTIONS = 'sameorigin'
     268        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
     269                                                       HttpResponse())
     270        self.assertEquals(r['X-FRAME-OPTIONS'], 'SAMEORIGIN')
     271   
     272    def test_deny(self):
     273        """
     274        Tests that the X_FRAME_OPTIONS setting can be set to DENY to
     275        have the middleware use that value for the HTTP header.
     276        """
     277        settings.X_FRAME_OPTIONS = 'DENY'
     278        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
     279                                                       HttpResponse())
     280        self.assertEquals(r['X-FRAME-OPTIONS'], 'DENY')
     281       
     282        settings.X_FRAME_OPTIONS = 'deny'
     283        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
     284                                                       HttpResponse())
     285        self.assertEquals(r['X-FRAME-OPTIONS'], 'DENY')
     286   
     287    def test_defaults_deny(self):
     288        """
     289        Tests that if the X_FRAME_OPTIONS setting is not set then it defaults
     290        to DENY.
     291        """
     292        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
     293                                                       HttpResponse())
     294        self.assertEquals(r['X-FRAME-OPTIONS'], 'DENY')
Back to Top