Add frame-ancestors: 'none' to CSP headers returned by internal server

We already have (and will continue to have) `X-Frame-Options: DENY`, but this is the more modern version of it.
author: Tor Brede Vekterli <vekterli@yahooinc.com> 2022-09-08 09:22:30 +0000
committer: Tor Brede Vekterli <vekterli@yahooinc.com> 2022-09-08 10:41:14 +0000
commit: 46866b3f944baf6dbcff28ec8952255693d495c0 (patch)
tree: fcb55505601bba4d12856ad577e120920ee9b315 /vespalib
parent: 5f19d58210dee17bf2c8161b6fbea66163cd79d6 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/vespalib/src/vespa/vespalib/portal/http_connection.cpp b/vespalib/src/vespa/vespalib/portal/http_connection.cpp
index 2c2a36c1529..6ea56e2659c 100644
--- a/vespalib/src/vespa/vespalib/portal/http_connection.cpp
+++ b/vespalib/src/vespa/vespalib/portal/http_connection.cpp
@@ -103,8 +103,9 @@ void emit_http_security_headers(OutputWriter &dst) {
     // Do not allow embedding via iframe (clickjacking prevention)
     dst.printf("X-Frame-Options: DENY\r\n");
     // Do not allow _anything_ to be externally loaded, nor inline scripts
-    // etc to be executed.
-    dst.printf("Content-Security-Policy: default-src 'none'\r\n");
+    // etc. to be executed.
+    // "frame-ancestors: none" is analogous to X-Frame-Options: DENY.
+    dst.printf("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'\r\n");
     // No heuristic auto-inference of content-type based on payload.
     dst.printf("X-Content-Type-Options: nosniff\r\n");
     // Don't store any potentially sensitive data in any caches.
author	Tor Brede Vekterli <vekterli@yahooinc.com>	2022-09-08 09:22:30 +0000
committer	Tor Brede Vekterli <vekterli@yahooinc.com>	2022-09-08 10:41:14 +0000
commit	46866b3f944baf6dbcff28ec8952255693d495c0 (patch)
tree	fcb55505601bba4d12856ad577e120920ee9b315 /vespalib
parent	5f19d58210dee17bf2c8161b6fbea66163cd79d6 (diff)