Allow gov.uk domains to embed pages

We initially added the strict and OWASP recommended 'none' directive based on the assumption that only side-by-side-browser tool (retired in November 2022) was preventing us from implementing it. However some other internal GOV.UK apps use iframes: - Search Admin - Best bets (queries) - External links (recommended-links) - Content Publisher (Preview feature) This policy will still ensure sufficient security yet will allow internal GOV.UK domains to embed pages. It's added to the global base policy because given the number of frontend application it may be difficult to predict which frontend app renders the page that we want to iframe. It will reduce the need to apply a CSP modification in individual apps.
alphagov · Oct 9, 2023 · ba97b9d · ba97b9d
1 parent a4764a3
commit ba97b9d
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -80,10 +80,10 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
     policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
 
-    # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
+    # Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
     #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
-    policy.frame_ancestors :none
+    policy.frame_ancestors :self, *GOVUK_DOMAINS
 
     policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
   end