From 82b50460e12512033c74260bfc5eee834a038d49 Mon Sep 17 00:00:00 2001
From: Dave MacFarlane <driusan@mcin.ca>
Date: Mon, 27 Sep 2021 09:21:03 -0400
Subject: [PATCH] [Security] Add 2 more Content-Security-Policy options (#7579)

This adds to more CSP directives that are defined in CSP Level 3.
(See: https://w3c.github.io/webappsec-csp/)

`frame-ancestors: 'none'` prevents LORIS from being embedded in an
iframe. This prevents the class of attacks where a third party embeds
the page in an iframe, but covers it with an invisible div to intercept
clicks or other interactions.

`form-action: self` prevents forms from submitting data to a target that
is off-site.
---
 php/libraries/NDB_Client.class.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/php/libraries/NDB_Client.class.inc b/php/libraries/NDB_Client.class.inc
index 621ec496408..334e02a02b8 100644
--- a/php/libraries/NDB_Client.class.inc
+++ b/php/libraries/NDB_Client.class.inc
@@ -129,6 +129,8 @@ class NDB_Client
             . "script-src 'self' 'unsafe-inline' 'unsafe-eval' $CaptchaDomains; "
             . "font-src 'self' data:; "
             . "img-src 'self' data:; "
+            . "frame-ancestors 'none'; "
+            . "form-action 'self'; "
             . $config_additions
         );
         // start php session