diff --git a/lms/djangoapps/courseware/module_render.py b/lms/djangoapps/courseware/module_render.py index e11f9b7f1e..486285a4e1 100644 --- a/lms/djangoapps/courseware/module_render.py +++ b/lms/djangoapps/courseware/module_render.py @@ -17,6 +17,7 @@ from django.template.context_processors import csrf from django.core.exceptions import PermissionDenied from django.urls import reverse from django.http import Http404, HttpResponse, HttpResponseForbidden +from django.views.decorators.clickjacking import xframe_options_exempt from django.views.decorators.csrf import csrf_exempt from edx_proctoring.services import ProctoringService from opaque_keys import InvalidKeyError @@ -915,6 +916,7 @@ def xqueue_callback(request, course_id, userid, mod_id, dispatch): @csrf_exempt +@xframe_options_exempt def handle_xblock_callback_noauth(request, course_id, usage_id, handler, suffix=None): """ Entry point for unauthenticated XBlock handlers. @@ -927,6 +929,7 @@ def handle_xblock_callback_noauth(request, course_id, usage_id, handler, suffix= return _invoke_xblock_handler(request, course_id, usage_id, handler, suffix, course=course) +@xframe_options_exempt def handle_xblock_callback(request, course_id, usage_id, handler, suffix=None): """ Generic view for extensions. This is where AJAX calls go. diff --git a/openedx/core/djangoapps/contentserver/middleware.py b/openedx/core/djangoapps/contentserver/middleware.py index cceb804e4d..7d3b8a5083 100644 --- a/openedx/core/djangoapps/contentserver/middleware.py +++ b/openedx/core/djangoapps/contentserver/middleware.py @@ -179,6 +179,7 @@ class StaticContentServer(object): # "Accept-Ranges: bytes" tells the user that only "bytes" ranges are allowed response['Accept-Ranges'] = 'bytes' response['Content-Type'] = content.content_type + response['X-Frame-Options'] = 'ALLOW' # Set any caching headers, and do any response cleanup needed. Based on how much # middleware we have in place, there's no easy way to use the built-in Django