From 6e0b304f657a4b4503dd9474f52e1dc03da3ad5a Mon Sep 17 00:00:00 2001
From: Nizar Mahmoud <nizarmah@hotmail.com>
Date: Wed, 18 Nov 2020 20:04:46 +0300
Subject: [PATCH] Sets default X-Frame-Options for login and registration forms
 to X_FRAME_OPTIONS environment setting

---
 common/djangoapps/third_party_auth/decorators.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/djangoapps/third_party_auth/decorators.py b/common/djangoapps/third_party_auth/decorators.py
index b2deff2a2b..3f79bb4dae 100644
--- a/common/djangoapps/third_party_auth/decorators.py
+++ b/common/djangoapps/third_party_auth/decorators.py
@@ -17,13 +17,13 @@ from common.djangoapps.third_party_auth.provider import Registry
 def xframe_allow_whitelisted(view_func):
     """
     Modifies a view function so that its response has the X-Frame-Options HTTP header
-    set to 'DENY' if the request HTTP referrer is not from a whitelisted hostname.
+    set to `settings.X_FRAME_OPTIONS` if the request HTTP referrer is not from a whitelisted hostname.
     """
 
     def wrapped_view(request, *args, **kwargs):
         """ Modify the response with the correct X-Frame-Options. """
         resp = view_func(request, *args, **kwargs)
-        x_frame_option = 'DENY'
+        x_frame_option = settings.X_FRAME_OPTIONS
         if settings.FEATURES['ENABLE_THIRD_PARTY_AUTH']:
             referer = request.META.get('HTTP_REFERER')
             if referer is not None: