Skip to content

Commit

Permalink
Merge pull request #325 from alphagov/update-csp
Browse files Browse the repository at this point in the history
Allow gov.uk domains to embed pages
  • Loading branch information
AgaDufrat authored Oct 9, 2023
2 parents a4764a3 + 08d598a commit 37f62a6
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 3 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# 9.5.0

* Allow gov.uk domains to embed pages in the global Content Security Policy ([#325](https://github.com/alphagov/govuk_app_config/pull/325))

# 9.4.0

* Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
Expand Down
4 changes: 2 additions & 2 deletions lib/govuk_app_config/govuk_content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,10 @@ def self.build_policy(policy)
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds

# Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
# Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
policy.frame_ancestors :none
policy.frame_ancestors :self, *GOVUK_DOMAINS

policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
end
Expand Down
2 changes: 1 addition & 1 deletion lib/govuk_app_config/version.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
module GovukAppConfig
VERSION = "9.4.0".freeze
VERSION = "9.5.0".freeze
end

0 comments on commit 37f62a6

Please sign in to comment.