Disallow any domain from embeding a page to prevent clickjacking #322
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AgaDufrat
force-pushed
the
add-frame-ancestors-csp
branch
from
75b6eda to
5b3f38b
Compare
Other sites could iframe GOV.UK into theirs and potentially use CSS/JS clickjacking to capture keystrokes etc. It was not done before because in 2020 there were a couple of instances where non-origin framing was a valid use case (e.g. we used to a side-by-side browser for sites transitioning content to GOV.UK so the departments could see where their pages will redirect to) In 2023, the side-by-side browser (https://docs.publishing.service.gov.uk/repos/side-by-side-browser.html) is now retired, and we now have the GOV.UK Account in place and a potential move towards personalisation, so the likelihood of an attacker attempting to steal GOV.UK credentials is growing. Decided to use `frame-ancestors` directive rather than `X-Frame-Options` HTTP response header as they have more drawbacks the main one being the fact that they are now deprecated.
AgaDufrat
force-pushed
the
add-frame-ancestors-csp
branch
from
5b3f38b to
e845ded
Compare
robinjam
approved these changes
Oct 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
Other sites could iframe GOV.UK into theirs and potentially use CSS/JS clickjacking to capture keystrokes etc. It was not done before because in 2020 there were a couple of instances where non-origin framing was a valid use case (e.g. we used to a side-by-side browser for sites transitioning content to GOV.UK so the departments could see where their pages will redirect to)
In 2023, the side-by-side browser is now retired, and we now have the GOV.UK Account in place and a potential move towards personalisation, so the likelihood of an attacker attempting to steal GOV.UK credentials is growing.
Trello card
Changes proposed
Disallow any domain from embeding a page to prevent clickjacking with the HTTP Content-Security-Policy
frame-ancestors. Decided to useframe-ancestorsdirective rather thanX-Frame-OptionsHTTP response header as they have more drawbacks the main one being the fact that they are now deprecated.Considerations
We also have some different options for
X-Frame-Optionsset in the apps. They will take priority so this PR is safe to merge and release the gem. There will be follow up work to look into these.List of individual directives
Signon: SAMEORIGIN
Collections: ALLOWALL
Frontend: ALLOWALL in application config, DENY in content_item controller
Finder Frontend: ALLOWALL
Authenticating proxy: Deletes X-Frame-Options headers
Content tagger: has an iframing allowing proxy
Asset manager: DENY, nginx config in govuk-helm-charts
govuk_publishing_components (Components guide): ALLOWALL
datagovuk_find: DENY
datagovuk_publish: SAMEORIGIN