I have a model called "press" with a field for "lab", which is another model. on the admin change page for an object in "press", I can choose the "lab" from a list, or click the green plus sign to add a new one. In development, this works fine.
the choice box:
after clicking the 'add' sign IN DEVELOPMENT
looks good. BUT, on my actual site, this is what happens. the red is the name of the server/root url of the site
This is not the only time this happens. It is every 'plus' button that adds a new item to a foreign key field.
the link on the button in this case was dev: http://.../admin/press/lab/add/?_to_field=id&_popup=1 actual: https://.../admin/press/lab/add/?_to_field=id&_popup=1
everything there looks ok.
ALSO on the actual site, if i click 'add' on the left menu, it works fine.
in that case, the link is: https://.../admin/press/lab/add/
is the problem because the first case is a popup? or it doesn't like /?_to_field=id any ideas?
EDIT. i think it's an x-frame options issue. Mine is set to "DENY" in settings.py, because that was advised for keeping things secure. Changing it to "SAMEORIGIN" fixed everything. But, that seems to go against the recommended usage. is there a way to keep things secure and still have the functionality?
