I agree that Django should include this functionality in core. The header is a very useful way to discourage click-jacking in modern browsers.
However, I also agree with Ryan N that this should be off by default. If it must be on, it should use SAMEORIGIN (as the patch currently provides) to avoid breaking existing sites. For better or worse, frames are an integral part of the web today. Taking a stance as an entire framework that by default, content should not be framed, is a _very bad_ choice. Many sites use Django to build open data platforms, and many of the interesting sites on the web today function as mashups of other site content (often by framing it, often without an explicit "go-ahead" by the framed site). If we force every site creator to explicitly enable the ability to be framed, we are directly creating a closed, less dynamic, less interesting internet. I would prefer an approach that was more selective. In particular, this header (usually) only makes sense in the context of a page which contains a form. If we must enable it by default, we should limit it to those pages. -Paul -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
