♻️ Block iframe embeds #12470

esizer · 2025-01-10T20:24:45Z

♻️ Debt/Refactor

We currently do not have a policy header for frames and should add one.

I do not think we use iframes anywhere on the site so we should probably just block them outright?

Add the following headers (one we have and you just need to append to the CSP).

Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: DENY

The text was updated successfully, but these errors were encountered:

tristan-orourke · 2025-01-13T18:09:35Z

We need to check if our logout process uses an iframe.
If it does, we can add it to a whitelist.

esizer added the debt Refactor or improve existing code. label Jan 10, 2025

github-project-automation bot added this to GC Digital Talent Jan 10, 2025

esizer added the security Related to app security. label Jan 10, 2025

mnigh added the review in refinement Ready to be looked at and pulled into "ready to dev" label Jan 13, 2025

tristan-orourke removed the review in refinement Ready to be looked at and pulled into "ready to dev" label Jan 13, 2025

tristan-orourke moved this to 🏭 Ready for Estimate in GC Digital Talent Jan 13, 2025