I was using Django 2.2 up till now and I recently tried upgrading to Django 3.2
We use a website live chat plugin called tawk.to which works by embedding an iframe to our page with the chat option in there.
However, after upgrading to Django 3.2, even though the plugin's JS code is loading, the iframe is missing from the website altogether.
I am not sure what is causing the issue. Is the iframe blocked in Django 3.2 or do I have to enable any setting for it?
There are security updates are added in Django 3.2 which do not allow other frames. Refer https://docs.djangoproject.com/en/3.2/ref/clickjacking/#preventing-clickjacking.
You should change X_FRAME_OPTIONS = 'SAMEORIGIN' as explained in https://docs.djangoproject.com/en/3.2/ref/clickjacking/#how-to-use-it
I found the answer after going deep into the Django files. Add this to your settings.py file.
SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin". # when using other websites that track visitors or use their iframe on your website.
X_FRAME_OPTIONS = 'SAMEORIGIN' # Necessary to show Iframe from your own server (such as PDFs on your website)
Related
I have built a Django application with a custom interface. It hasn't been changed in a couple of years.
These (previous) servers are running Django 3.0.8.
Recently I set up a new server, and the Django Admin interface now shows the model list in a scrolling iframe, and long tables on the right side are also scrolled independently of the page.
This server is running Django 3.2.3.
I don't like the new interface, but it more importantly it will require an extensive rewrite of our custom admin css.
Can anyone point me to information about the change, or tell me if there is a setting to disable it?
I found the answer in this Stack Overflow answer. I will leave this question up because the other answer doesn't mention iframes.
Django 3.1 added the new scrolling sidebar in an iframe.
To disable it add the following to the root urls.py file:
from django.contrib import admin
admin.autodiscover()
admin.site.enable_nav_sidebar = False
The 3.1 Release Notes say:
The admin now has a sidebar on larger screens for easier navigation. It is enabled by default but can be disabled by using a custom AdminSite and setting AdminSite.enable_nav_sidebar to False.
Reference links from the original answer:
Django 3.1 release notes
The Django admin site
I had a django app that used an iframe to display a pdf stored in my local machine, something like this:
<embed src="path_to_file.pdf" type="application/pdf">
Everything worked just fine in all supported browsers... Until today.
The app suddenly stopped working on Chrome and the console displays the message Refused to display 'path_to_file.pdf' in a frame because it set 'X-Frame-Options' to 'deny'.
In other browsers it's still working as usual. I don't know if Chrome just made an update or what changed but it is not working anymore. ¡Any help would be appreciated!
After going through a lot of similar questions and trying lots of different things, I finally found a solution for my problem thanks to the django documentation.
Since Django 3.0. The default value of the X_FRAME_OPTIONS setting was changed from SAMEORIGIN to DENY.
So I just had to add X_FRAME_OPTIONS = 'SAMEORIGIN' to settings.py and the problem was gone.
I still don't know what change made my code stop working because I already used django 3.0 version since it was released, probably it was a Chrome update.
Recording an incident here specifically with a Vimeo embedded video. I needed to set SECURE_REFERRER_POLICY to None. The default was changed in Django 3.1.
I am trying to login on django admin using Microsoft Edge Browser, but there is no luck that I can login to the admin site. Everything is working in other browsers even on internet explorer it's working smoothly except some CSS issues. I have tried everything from this link from comments, still no luck. Any help?
Django Suit officially only supports up to Django 1.10.
As confirmed by the OP, removing Django Suit from the project resolved the issue.
I am using django-ckeditor python package in my django app (django 1.11 + python 2.7). I have integrated it with s3 and it is hosted on Heroku. So far everything runs smooth.
Earlier I had an issue that non admin user could not upload images to server thus can not use any images as a part of their content. I fixed it by overriding ckeditor's browse and upload view. When i tested it it was working just fine. I pushed it to production.
Now none of my user can use ckeditors image upload or browse feature. when I try it, (as an admin or as regular user) it works. some users reported that app crashes, some said image wont show up despite uploading to server (also I can't see it in my s3 bucket.)
other images are working well with s3 for all users. but ckeditors images are working only for me, no matter which machine or which role I try as.
I also checked heroku apps, but they are not helpful at all.
Does anyone have idea any guesses why this could be happening.
I just upgraded to Wagtail 1.10.1 and the preview shows only a blank page. When I force the preview by appending preview/ to the edit URL, then I get a server error. It all works just fine on my development and staging sites, so I also need some help tracking down where the error might be.
Internal Server Error: /admin/pages/81/edit/preview/
KeyError at /admin/pages/81/edit/preview/
'wagtail-preview-81'
Django Version: 1.11.1
Python Executable: /usr/local/bin/uwsgi
Python Version: 3.5.2
I've been doing only minimal upgrades for a few months, so it's possible I missed something in a previous upgrade that used to work but that now I need to fix (although why it would work in the dev and staging sites but not the real one puzzles me); any suggestions would be welcome.
Please refresh your browser cache in the edit page (Ctrl + F5) then click again on preview.
The issue is that the admin Javascript changed, but Wagtail no longer compresses its assets, so your browser cached the previous version of the Javascript file. So preview data is not correctly sent to the server, and it’s therefore unable to retrieve it when displaying the preview.
You can avoid such issues in the future by compressing admin assets.