django中间件影响图片上传功能 #183
Description
django默认启用django.middleware.clickjacking.XFrameOptionsMiddleware中间件,这会导致无法使用本地图片上传功能
图片会被正确上传并存储,但是编辑器无法获取到图片上传的路径
移除此中间件会导致安全问题
浏览器的报错如下:
Refused to display 'http://localhost:8000/' in a frame because it set 'X-Frame-Options' to 'deny'.
[NEW] Explain Console errors by using Copilot in Edge: click
to explain an error. Learn more
Don't show again
VM223:647
Uncaught TypeError: Cannot read properties of null (reading 'classList')
at HTMLDocument.onDocumentLoad (VM223:647:19)
onDocumentLoad @ VM223:647
image-dialog.js:158
Uncaught DOMException: Failed to read a named property 'document' from 'Window': Blocked a frame with origin "http://localhost:8000/" from accessing a cross-origin frame.
at uploadIframe.onload (http://localhost:8000/static/mdeditor/js/plugins/image-dialog/image-dialog.js:158:129)
uploadIframe.onload @ image-dialog.js:158
load(异步)
submitHandler @ image-dialog.js:154
dispatch @ jquery.js:5145
elemData.handle @ jquery.js:4949
trigger @ jquery.js:8629
(匿名) @ jquery.js:8707
each @ jquery.js:383
each @ jquery.js:205
trigger @ jquery.js:8706
(匿名) @ image-dialog.js:179
dispatch @ jquery.js:5145
elemData.handle @ jquery.js:4949
django默认中间件配置如下:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
我使用的包版本如下:
Package [Version]
asgiref 3.8.1
Django 5.0.3
django-mdeditor 0.1.20
Markdown 3.6
pillow 10.3.0
pip 24.0
Pygments 2.17.2
setuptools 68.2.0
sqlparse 0.4.4
tzdata 2024.1
wheel 0.41.2