Ticket #14261: clickjacking.diff

django/middleware/clickjacking.py

@@ +1 @@
+"""
+Clickjacking Protection Middleware.
+
+This module provides a middleware that implements protection against a
+malicious site loading your site in a hidden iframe.
+"""
+
+from django.conf import settings
+
+class XFrameOptionsMiddleware(object):
+    """
+    Middleware that sets the X-Frame-Options HTTP header in HTTP responses.
+    
+    By default, sets the X-Frame-Options header to 'DENY'. To have this
+    middleware set it to 'SAMEORIGIN' instead, set X_FRAME_OPTIONS in
+    settings.py to 'SAMEORIGIN'.
+
+    Note: older browsers will quietly ignore this header, thus other
+    clickjacking protection techniques should be used if protection in those
+    browsers is required.
+    
+    http://en.wikipedia.org/wiki/Clickjacking#Server_and_client
+    """
+    def process_response(self, request, response):
+        options = getattr(settings, 'X_FRAME_OPTIONS', 'DENY')
+        response['X-FRAME-OPTIONS'] = options.upper()
+        return response

tests/regressiontests/middleware/tests.py

@@ -2 +2 @@
 
 from django.test import TestCase
 from django.http import HttpRequest
+from django.http import HttpResponse
 from django.middleware.common import CommonMiddleware
+from django.middleware.clickjacking import XFrameOptionsMiddleware
 from django.conf import settings
-
+    
 class CommonMiddlewareTest(TestCase):
     def setUp(self):
         self.slash = settings.APPEND_SLASH
@@ -246 +248 @@
       self.assertEquals(r.status_code, 301)
       self.assertEquals(r['Location'],
                         'http://www.testserver/middleware/customurlconf/slash/')
+      
+class XFrameOptionsMiddlewareTest(TestCase):
+    def tearDown(self):
+        if hasattr(settings, 'X_FRAME_OPTIONS'):
+            delattr(settings, 'X_FRAME_OPTIONS')
+    
+    def test_same_origin(self):
+        """
+        Tests that the X_FRAME_OPTIONS setting can be set to SAMEORIGIN to
+        have the middleware use that value for the HTTP header.
+        """
+        settings.X_FRAME_OPTIONS = 'SAMEORIGIN'
+        r = XFrameOptionsMiddleware().process_response(HttpRequest(), 
+                                                       HttpResponse())
+        self.assertEquals(r['X-FRAME-OPTIONS'], 'SAMEORIGIN')
+        
+        settings.X_FRAME_OPTIONS = 'sameorigin'
+        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
+                                                       HttpResponse())
+        self.assertEquals(r['X-FRAME-OPTIONS'], 'SAMEORIGIN')
+    
+    def test_deny(self):
+        """
+        Tests that the X_FRAME_OPTIONS setting can be set to DENY to
+        have the middleware use that value for the HTTP header.
+        """
+        settings.X_FRAME_OPTIONS = 'DENY'
+        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
+                                                       HttpResponse())
+        self.assertEquals(r['X-FRAME-OPTIONS'], 'DENY')
+        
+        settings.X_FRAME_OPTIONS = 'deny'
+        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
+                                                       HttpResponse())
+        self.assertEquals(r['X-FRAME-OPTIONS'], 'DENY')
+    
+    def test_defaults_deny(self):
+        """
+        Tests that if the X_FRAME_OPTIONS setting is not set then it defaults
+        to DENY.
+        """
+        r = XFrameOptionsMiddleware().process_response(HttpRequest(),
+                                                       HttpResponse())
+        self.assertEquals(r['X-FRAME-OPTIONS'], 'DENY')