Disallow any domain from embeding a page to prevent clickjacking

Other sites could iframe GOV.UK into theirs and potentially use CSS/JS clickjacking to capture keystrokes etc. It was not done before because in 2020 there were a couple of instances where non-origin framing was a valid use case (e.g. we used to a side-by-side browser for sites transitioning content to GOV.UK so the departments could see where their pages will redirect to) In 2023, the side-by-side browser (https://docs.publishing.service.gov.uk/repos/side-by-side-browser.html) is now retired, and we now have the GOV.UK Account in place and a potential move towards personalisation, so the likelihood of an attacker attempting to steal GOV.UK credentials is growing. Decided to use `frame-ancestors` directive rather than `X-Frame-Options` HTTP response header as they have more drawbacks the main one being the fact that they are now deprecated.
alphagov · Oct 4, 2023 · e845ded · e845ded
1 parent 4db5992
commit e845ded
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -80,6 +80,11 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
     policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
 
+    # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
+    #
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+    policy.frame_ancestors :none
+
     policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
   end