I recently upgraded a project from Django 2.2.24 to the latest 3.2.x release. This was mostly straightforward except for one problem that took a while to figure out.
I have a view that generates SVG and I have another view that generates HTML that embeds this SVG using an
<Object> tag. For some reason I was getting “broken pipe” errors on the server when accessing the HTML view and the SVG would not load. Accessing the SVG directly was not a problem. This was the same whether using the development server or Apache with mod_wsgi.
I tried both Django 3.1 and 3.0 as well with similar results but different errors. With these versions the error was “Connection reset by peer”. For some reason the browser was closing the connection before reading the SVG.
I couldn’t find an explanation and it wasn’t urgent so I gave up for a while. Today I took another look and found the reason could be found in the Django 3.0 release notes:
X_FRAME_OPTIONSnow defaults to
'DENY'. In older versions, the
X_FRAME_OPTIONSsetting defaults to
'SAMEORIGIN'. If your site uses frames of itself, you will need to explicitly set
X_FRAME_OPTIONS = 'SAMEORIGIN'for them to continue working.
This is a change to prevent click-jacking attacks. Evidently browsers treat
<object> elements the same way as an
<iframe> in this respect. You can resolve the issue globally as described in the release notes above, or you can decorate the view in question to allow it to be embedded:
from django.views.decorators.clickjacking import xframe_options_sameorigin
# Do something