Bugfix: allow embedding only from current origin - Githubissues

PrefectHQ / ui

The home of the Prefect 1 UI

https://cloud.prefect.io

Other

177 stars 42 forks source link

Bugfix: allow embedding only from current origin #1380

Closed jawnsy closed 1 year ago

jawnsy commented 1 year ago

Add frame-ancestors 'self' to Content-Security-Policy (equivalent to X-Frame-Options SAMEORIGIN) to prevent clickjacking attacks.

Closes: https://github.com/PrefectHQ/devsecops/issues/833

Description

<! -- What is it meant to do? -->

Linked Issues

<! -- Use a key word (e.g. closes or resolves) to close related issues -->

Tests and performance

[x] Changes to any .js files are covered by existing tests or this PR adds new tests (if not please explain why below)
[x] No new packages are added or package size and performance considerations are discussed below
[x] PR Title fits our changelog format

Releases/Changelog cuts only
[ ] Completed the QA Checklist in staging