I was running into this when I added the following to my nginx.conf: add_header X-Frame-Options "SAMEORIGIN";
When I attempted to insert an image via tinymce, the popup was empty and firebug gave the following error: "Load denied by X-Frame-Options: http://mysite.com/asset_proxy/?u=https://mysite.com/static/grappelli/tinymce/jscripts/tiny_mce/plugins/advimage/image.htm does not permit cross-origin framing." I'm not sure if this is the correct way to solve this but I added the following to my projects settings.py: SSL_FORCE_URL_PREFIXES = ("/admin","/account","/asset_proxy") # default setting is - SSL_FORCE_URL_PREFIXES = ("/admin","/account") On Wednesday, April 9, 2014 10:21:49 AM UTC-5, Matthew Summers wrote: > > Hi there, > > First, tinymce uses an iframe for its pop-ups, so make sure you use: > add_header X-Frame-Options SAMEORIGIN; > and not: > add_header X-Frame-Options DENY; > > I have a feeling that the issue is with the iframe coming from http in > an https page. > > Second, you definitely do not want to over-ride SSL_FORCE_URL_PREFIXES > to exclude /admin since that would yield plain text auth (==BAD). > > If you are interested in SSL-only site, which I highly recommend, you > may want to look at HSTS. I use it like the following in both the http > (providing redirect) and https server blocks. > add_header Strict-Transport-Security max-age=15768000; > The max-age is in seconds, feel free to set this to a longer time > period. I think the max allowed is around 2 years or 63072000. > > You might want to add these headers too, for completion: > add_header X-XSS-Protection "1; mode=block"; > add_header X-Content-Type-Options nosniff; > > Third, to make mezzanine SSL-only, I set Enable SSL to True in teh > admin, and set SSL_FORCE_URL_PREFIXES="/" in my settings.py. > > Also a couple of things jump out at me. > > 1) Don't use rewrite for your redirect to https, use 'return 301', > (it's more efficient). Use the following in your server block: > return 301 https://www.example.com$request_uri; > > 2) Don't use alias in your location blocks, use root like this: > location /static/ { > root /path/to/project; > ## The following are optional, and will not help with 404s. > access_log off; > log_not_found off; > } > > Reference for that is here: > http://nginx.org/en/docs/http/ngx_http_core_module.html#alias > > Cheers, > Matt > -- > M. Summers > > "...there are no rules here -- we're trying to accomplish something." > - Thomas A. Edison > -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
