Clickjacking Protection

原文：https://docs.djangoproject.com/en/1.8/ref/clickjacking/

The clickjacking middleware and decorators provide easy-to-use protection againstclickjacking. This type of attack occurs when a malicious site tricks a user into clicking on a concealed element of another site which they have loaded in a hidden frame or iframe.

通过点击劫持middleware和decorator可以很轻松的抵御点击劫持攻击。某个恶意网站将另外一个网站的页面(比如x.html)以iframe的方式覆盖在自己的网页(比如y.html)上，然后将x.html通过css设为透明，这样用户看到的是恶意网站的y.html页面，但点击时真正响应事件的是x.html，这种恶意行为即为点击劫持。

An example of clickjacking

Suppose an online store has a page where a logged in user can click “Buy Now” to purchase an item. A user has chosen to stay logged into the store all the time for convenience. An attacker site might create an “I Like Ponies” button on one of their own pages, and load the store’s page in a transparent iframe such that the “Buy Now” button is invisibly overlaid on the “I Like Ponies” button. If the user visits the attacker’s site, clicking “I Like Ponies” will cause an inadvertent click on the “Buy Now” button and an unknowing purchase of the item.

假如用户登陆到某个电商网站后，只要其点击了某个商品下方的“立即购买”，后台就会自动的完成提交订单、支付等一系列操作，而且为了方便，用户可能会使自己的帐号处于登陆状态，比如登陆时点击了“下次自动登陆”。恶意网站可能在某个页面上有个“我喜欢小矮马”的按钮，且上述网店的页面以iframe的方式覆盖在了当前页面上(透明的，用户看不到)，“立即购买”的按钮位置正好与“我喜欢小矮马”重合，那么如果用户访问了恶意网站的这个页面，并点击了“我喜欢小矮马”按钮，那么就触发了“立即购买”对应的时间，然后就会莫名其妙的购买了某件商品。

Preventing clickjacking

Modern browsers honor the X-Frame-Options HTTP header that indicates whetheror not a resource is allowed to load within a frame or iframe. If the response contains the header with a value of SAMEORIGIN then the browser will only load the resource in a frame if the request originated from the same site. If the header is set to DENY then the browser will block the resource from loading in a frame no matter which site made the request.

现代浏览器在HTTP的header中加入了X-Frame-Options选项，浏览器可以根据这个选项来决定某个资源是否允许通过frame或iframe嵌套到别的网站中。如果响应头中将其值设置为了SAMEORIGIN，则告诉浏览器该资源仅允许被嵌套在同源网站，如果值为DENY，则在任何位置的嵌套都是不允许的。

Django provides a few simple ways to include this header in responses from your site:

A simple middleware that sets the header in all responses.
A set of view decorators that can be used to override the middleware or to only set the header for certain views.

The X-Frame-Options HTTP header will only be set by the middleware or view decorators if it is not already present in the response.

Django提供了一些简单易用的方式来把该选项加到你网站response头里：

通过中间件，该头部会加在所有响应头里
通过装饰器对指定的view加该头部（装饰器优先级高于中间件）

目前为止，只能通过以上方式来添加X-Frame-Options头。

How to use it

在所有的reponse里都加上X-Frame-Options头

To set the same X-Frame-Options value for all responses in your site, put'django.middleware.clickjacking.XFrameOptionsMiddleware' to MIDDLEWARE_CLASSES:

MIDDLEWARE_CLASSES = (...'django.middleware.clickjacking.XFrameOptionsMiddleware',...
)

This middleware is enabled in the settings file generated by startproject.

在MIDDLEWARE_CLASSES里加入django.middleware.clickjacking.XFrameOptionsMiddleware中间件，那所有的响应头里都会包含X-Frame-Options。在执行startproject后该选项即生效。

By default, the middleware will set the X-Frame-Options header to SAMEORIGIN for every outgoingHttpResponse. If you wantDENY instead, set the X_FRAME_OPTIONS setting:

X_FRAME_OPTIONS = 'DENY'

X-Frame-Options的默认值是 SAMEORIGIN，如果想改成DENY，可以在settings.py中进行设置：

X_FRAME_OPTIONS = 'DENY'

When using the middleware there may be some views where you do not want the X-Frame-Options header set. For those cases, you can use a view decorator that tells the middleware not to set the header:

如果你不想在某些view的响应里加X-Frame-Options，那么可以通过在view上加装饰器：xframe_options_exempt来搞定。代码如下：

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt@xframe_options_exempt
def ok_to_load_in_a_frame(request):return HttpResponse("This page is safe to load in a frame on any site.")

在view级别上加X-Frame-Options头

主要是通过一系列的装饰器来实现。

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_deny
from django.views.decorators.clickjacking import xframe_options_sameorigin@xframe_options_deny
def view_one(request):return HttpResponse("I won't display in any frame!")@xframe_options_sameorigin
def view_two(request):return HttpResponse("Display in a frame if it's from the same origin as me.")

Note that you can use the decorators in conjunction with the middleware. Use ofa decorator overrides the middleware.

注意，装饰器和中间件可以同时使用，但装饰器的优先级高于中间件。

Limitations

The X-Frame-Options header will only protect against clickjacking in a modern browser. Older browsers will quietly ignore the header and need otherclickjacking prevention techniques.

X-Frame-Options仅支持一些比较新的浏览器，版本较老的浏览器可以通过其他技术来方式点击劫持。

支持X-Frame-Options的浏览器

Internet Explorer 8+
Firefox 3.6.9+
Opera 10.5+
Safari 4+
Chrome 4.1+