skip to Main Content

Im developing a web application using the local dev server provided by Django. My local web-app is to be emmbeded in an iframe of a remote site. But when testing Chrome loads the remote site encappsulating webpage (page which is meant to wrap my web-app in an iframe but blocks requests towards my local dev server in the iframe, which makes testing impossible.

I have looked in chrome’s console and get the following error:

Refused to frame 'https://localhost:8000/' because it violates the following Content Security Policy directive: "child-src 'self' https://* shopify-pos://*". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback.

My questions:

1) Why is Chrome blocking requests?

2) Is this error being caused because I am using localhost? and framing work fine on Chrome once I deploy on a production server with domain name?

3) Is there anyway that I may circumvent this error while I am on local host for testing purposes?

2

Answers


  1. Django uses Clickjacking protection with ‘django.middleware.clickjacking.XFrameOptionsMiddleware’.

    To allow the site to be embedded in an iframe just erase that middleware from settings.py

    https://docs.djangoproject.com/en/dev/ref/clickjacking/#clickjacking-prevention

    Login or Signup to reply.
  2. try to deactivate CORS protection in Chrome.

    this chrome app might help.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search