Merge pull request #325 from alphagov/update-csp

Allow gov.uk domains to embed pages
alphagov · Oct 9, 2023 · 37f62a6 · 37f62a6
2 parents a4764a3 + 08d598a
commit 37f62a6
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 9.5.0
+
+* Allow gov.uk domains to embed pages in the global Content Security Policy ([#325](https://github.com/alphagov/govuk_app_config/pull/325))
+
 # 9.4.0
 
 * Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))

diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -80,10 +80,10 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
     policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
 
-    # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
+    # Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
     #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
-    policy.frame_ancestors :none
+    policy.frame_ancestors :self, *GOVUK_DOMAINS
 
     policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
   end

diff --git a/lib/govuk_app_config/version.rb b/lib/govuk_app_config/version.rb
@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "9.4.0".freeze
+  VERSION = "9.5.0".freeze
 end