From 7b955ffad2f05a31a89b48accaf86a9dfecff949 Mon Sep 17 00:00:00 2001 From: Tom Byers Date: Wed, 1 Aug 2018 14:28:45 +0100 Subject: [PATCH] Add 'self' to 'frame-src' header Allows iframes to contain pages from the same domain as the parent page. --- app/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/__init__.py b/app/__init__.py index de4cc583c..37781f2ef 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -514,7 +514,7 @@ def useful_headers_after_request(response): "object-src 'self';" "font-src 'self' data:;" "img-src 'self' *.google-analytics.com *.notifications.service.gov.uk {} data:;" - "frame-src www.youtube.com;".format(get_cdn_domain()) + "frame-src 'self' www.youtube.com;".format(get_cdn_domain()) )) if 'Cache-Control' in response.headers: del response.headers['Cache-Control']