Add frame-src to CspOptions and include in CSP header

[dai-le]

Adding facebook like button with IFrame but could not specify frame-src.

Got it to work with this:
options.CspOptions.ScriptSrc = "; frame-src https://www.facebook.com;";

[brockallen]

Oh sorry -- it's an iframe to FB. Still, do you really need a FB like button on your login page?

[dai-le]

It's a requirement from the product owner.

[brockallen]

You might want to just mention that the login page is an odd place to have something like that.

[dai-le]

Certainly can.

[leastprivilege]

and with "odd" - Brock means insecure. You want to lock down your login page as much as possible.

[brockallen]

So what are we going to do with this issue?

[dai-le]

Have you decided on whether or not you'll be adding support for frame-src? I don't see a reason not to if the library already supports script-src, unless you see otherwise.

[brockallen]

I guess we can add this. IMO doing that on the login page is a bad idea, though, but I can't stop you from doing it.

[dai-le]

Yeah, I agree with you, having someone else's script being able to run on your login page is not safe.

[leastprivilege]

is this still required?

[dai-le]

I have little control over how it should all work :/ but as of right now, the requirement is still there and the work around is working for us to get the script on the page at the moment. I don't know how you guys decide on what features get in; my only concern is the possibility of a future change that might break our work around if this doesn't get in.

[brockallen]

Ok, we'll add it (since you can obviously subvert it by changing the source code).

[dai-le]

Thank you.

[edwinf]

@brockallen I would request this as well. My product owner wants to add reCaptcha to our login page and the frame source is the one piece we're missing. (the above workaround is what we'll do in the short term). If it would help, I can submit a PR.

[brockallen]

Done on dev