From 458ec5988eedecd94b57c0bdca5fc4335628dbec Mon Sep 17 00:00:00 2001 From: Phil Porada Date: Fri, 10 Jul 2020 11:51:09 -0400 Subject: [PATCH 1/2] Add CSP frame-ancestors: 'none' "Setting this directive to 'none' is similar to X-Frame-Options: deny (which is also supported in older browsers)." https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors --- netlify.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/netlify.toml b/netlify.toml index b2fad54992..0cbd49cc72 100644 --- a/netlify.toml +++ b/netlify.toml @@ -35,8 +35,10 @@ Feature-Policy = """ # "img-src data: blob:" is for Plotly download feature # "script-src unsafe-eval unsafe-inline data:": For Google Analytics # "form-action" is NOT set, so it allows everything (it doesn't default to default-src). If restricted, It must allow at least www.paypal.com and its redirects +# "frame-ancestors" is a modern equivalent and successfor to the X-Frame-Options header Content-Security-Policy = """ default-src 'none'; + frame-ancestors 'none'; font-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' data: From bad0fb94089890f86a0b76ad8cc1776c278bd2d4 Mon Sep 17 00:00:00 2001 From: Josh Aas Date: Thu, 28 Sep 2023 10:30:40 -0400 Subject: [PATCH 2/2] Fix typo and apply change to default server --- config/_default/server.toml | 2 ++ netlify.toml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/_default/server.toml b/config/_default/server.toml index 678004108c..e40e6378fa 100644 --- a/config/_default/server.toml +++ b/config/_default/server.toml @@ -27,8 +27,10 @@ Permissions-Policy = """ # "img-src data: blob:" is for Plotly download feature # "script-src unsafe-eval unsafe-inline data:": For Google Analytics # "form-action" is NOT set, so it allows everything (it doesn't default to default-src). If restricted, It must allow at least www.paypal.com and its redirects +# "frame-ancestors" is a modern equivalent and successor to the X-Frame-Options header Content-Security-Policy = """ default-src 'none'; + frame-ancestors 'none'; font-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' data: diff --git a/netlify.toml b/netlify.toml index 71a04899e1..34a824e78f 100644 --- a/netlify.toml +++ b/netlify.toml @@ -36,7 +36,7 @@ Permissions-Policy = """ # "img-src data: blob:" is for Plotly download feature # "script-src unsafe-eval unsafe-inline data:": For Google Analytics # "form-action" is NOT set, so it allows everything (it doesn't default to default-src). If restricted, It must allow at least www.paypal.com and its redirects -# "frame-ancestors" is a modern equivalent and successfor to the X-Frame-Options header +# "frame-ancestors" is a modern equivalent and successor to the X-Frame-Options header Content-Security-Policy = """ default-src 'none'; frame-ancestors 'none';