Protect against clickjacking with Content-Security-Policy: frame-ancestors

simonw / django-sql-dashboard

Django app for building dashboards using raw SQL queries

https://django-sql-dashboard.datasette.io/

Apache License 2.0

437 stars 37 forks source link

Protect against clickjacking with Content-Security-Policy: frame-ancestors #64

Closed simonw closed 3 years ago

simonw commented 3 years ago

If I care about clickjacking I should use the Content-Security-Policy: frame-ancestors 'self' header.

Originally posted by @simonw in https://github.com/simonw/django-sql-dashboard/issues/45#issuecomment-819222015

simonw commented 3 years ago

Since these are read-only queries that don't send information anywhere other than the user's own browser theoretically there's no risk from clickjacking here - but I like defense in depth.