[Security] Add 2 more Content-Security-Policy options (#7579)

This adds to more CSP directives that are defined in CSP Level 3. (See: https://w3c.github.io/webappsec-csp/) `frame-ancestors: 'none'` prevents LORIS from being embedded in an iframe. This prevents the class of attacks where a third party embeds the page in an iframe, but covers it with an invisible div to intercept clicks or other interactions. `form-action: self` prevents forms from submitting data to a target that is off-site.
aces · Sep 27, 2021 · 82b5046 · 82b5046
1 parent 7b1af55
commit 82b5046
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/php/libraries/NDB_Client.class.inc b/php/libraries/NDB_Client.class.inc
@@ -129,6 +129,8 @@ class NDB_Client
             . "script-src 'self' 'unsafe-inline' 'unsafe-eval' $CaptchaDomains; "
             . "font-src 'self' data:; "
             . "img-src 'self' data:; "
+            . "frame-ancestors 'none'; "
+            . "form-action 'self'; "
             . $config_additions
         );
         // start php session