Add 'self' to 'frame-src' header

Allows iframes to contain pages from the same domain as the parent page.
2026-06-21 21:53:42 -04:00 · 2018-08-01 14:28:45 +01:00
parent 6a06d4d714
commit 7b955ffad2
1 changed files with 1 additions and 1 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -514,7 +514,7 @@ def useful_headers_after_request(response):
        "object-src 'self';"
        "font-src 'self' data:;"
        "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk {} data:;"
-        "frame-src www.youtube.com;".format(get_cdn_domain())
+        "frame-src 'self' www.youtube.com;".format(get_cdn_domain())
    ))
    if 'Cache-Control' in response.headers:
        del response.headers['Cache-Control']