Add "Content-Security-Policy: frame-ancestors 'self'" to all view hea…

…ders (CO-2705) (#580) Co-authored-by: Arlen Johnson <[email protected]>
Internet2 · Mar 1, 2024 · 3aeb1cb · 3aeb1cb
1 parent 39f988d
commit 3aeb1cb
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 1 deletion.
diff --git a/app/View/Layouts/default.ctp b/app/View/Layouts/default.ctp
@@ -29,6 +29,7 @@
   header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
   header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
   header("Pragma: no-cache");
+  header("Content-Security-Policy: frame-ancestors 'self'");
 
   // Add X-UA-Compatible header for IE
   if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {

diff --git a/app/View/Layouts/error.ctp b/app/View/Layouts/error.ctp
@@ -15,7 +15,8 @@
  * @since         CakePHP(tm) v 0.10.0.1076
  * @license       MIT License (http://www.opensource.org/licenses/mit-license.php)
  */
-
+
+header("Content-Security-Policy: frame-ancestors 'self'");
 $cakeDescription = __d('cake_dev', 'CakePHP: the rapid development php framework');
 ?>
 <!DOCTYPE html>

diff --git a/app/View/Layouts/lightbox.ctp b/app/View/Layouts/lightbox.ctp
@@ -29,6 +29,7 @@
   header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
   header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
   header("Pragma: no-cache");
+  header("Content-Security-Policy: frame-ancestors 'self'");
 ?>
 <!DOCTYPE html>
 <html>

diff --git a/app/View/Layouts/redirect.ctp b/app/View/Layouts/redirect.ctp
@@ -29,6 +29,7 @@
   header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
   header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
   header("Pragma: no-cache");
+  header("Content-Security-Policy: frame-ancestors 'self'");
 
   // Add X-UA-Compatible header for IE
   if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {