Allowing Others to Embed My Videos: Load Denied By X-Frame-Options

Question

I'm writing an application in Django that gives users the ability to embed videos from my site. I'm giving the user iFrame code to embed the videos. I've come to discover that this isn't allowed. The console shows the following error when trying to do so:

Load denied by X-Frame-Options: http://blah.com/embed/110/ does not permit cross-origin framing.

After much research, I've discovered what's going on. My question is: does anyone know how services like Youtube and Vimeo get around this?

Answer 1

There is a special header to allow or disallow showing page inside i-frame - X-Frame-Options It's used to prevent an attack called clickjacking. You can check the Django's doc about it https://docs.djangoproject.com/en/dev/ref/clickjacking/

Sites that want their content to be shown in i-frame just don't set this header.

I think in your installation of Django this protection is turned on by default. If you wan't to allow embedding your content inside i-frames you can either disable the clickjack protection in your settings for the whole site, or use per view control with django.views.decorators.clickjacking decorators:

• xframe_options_exempt
• xframe_options_deny
• xframe_options_sameorigin

Per view control is a better option.