Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security] Add 2 more Content-Security-Policy options (#7579)
This adds to more CSP directives that are defined in CSP Level 3. (See: https://w3c.github.io/webappsec-csp/) `frame-ancestors: 'none'` prevents LORIS from being embedded in an iframe. This prevents the class of attacks where a third party embeds the page in an iframe, but covers it with an invisible div to intercept clicks or other interactions. `form-action: self` prevents forms from submitting data to a target that is off-site.
- Loading branch information