Im developing a web application using the local dev server provided by Django. My local web-app is to be emmbeded in an iframe of a remote site. But when testing Chrome loads the remote site encappsulating webpage (page which is meant to wrap my web-app in an iframe but blocks requests towards my local dev server in the iframe, which makes testing impossible.
I have looked in chrome’s console and get the following error:
Refused to frame 'https://localhost:8000/' because it violates the following Content Security Policy directive: "child-src 'self' https://* shopify-pos://*". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback.
My questions:
1) Why is Chrome blocking requests?
2) Is this error being caused because I am using localhost? and framing work fine on Chrome once I deploy on a production server with domain name?
3) Is there anyway that I may circumvent this error while I am on local host for testing purposes?
2
Answers
Django uses Clickjacking protection with ‘django.middleware.clickjacking.XFrameOptionsMiddleware’.
To allow the site to be embedded in an iframe just erase that middleware from settings.py
https://docs.djangoproject.com/en/dev/ref/clickjacking/#clickjacking-prevention
try to deactivate CORS protection in Chrome.
this chrome app might help.