search

daniel-ac-martin / NotGovUK

An implementation of the GOV.UK Design System in React that provides support for writing internal applications in addition to public ones.
https://not-gov.uk/
MIT License
27 stars 8 forks source link

Allow frame ancestors #966

Closed daniel-ac-martin closed 3 months ago

daniel-ac-martin commented 3 months ago

Allows the user to provide a frameAncestors option to the engine, which follows the Content Security Policy format. An equivalent environment variable has also been created.

Examples

Only allow us to put our pages in frames:

FRAME_ANCESTORS="'self'"

Note: Pay attention to the single quotes!

Also allow example.com and its subdomains:

FRAME_ANCESTORS="'self',*example.com"

Allow all frames (not advised):

FRAME_ANCESTORS="*"

To disallow frames (default):

FRAME_ANCESTORS="'none'"

We disallow frames by default in order to prevent click jacking.

Partially addresses: #950

cypress[bot] commented 3 months ago

Passing run #4843 ↗︎

0 1 0 0 Flakiness 0

Details:

plop-pack: Take advantage of frameAncestors option
Project: NotGovUK Commit: 1781906aef
Status: Passed Duration: 12:08 💡
Started: Apr 3, 2024 4:21 PM Ended: Apr 3, 2024 4:34 PM

Review all test suite changes for PR #966 ↗︎