Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
See alphagov/manuals-frontend#123 Rails 4+ sets the X-Frame-Options header to SAMEORIGIN by default. This means that the resource can only be put into an iframe on the same domain. One problem this causes is that the side-by-side browser - which is a tool used during transition - can't work correctly. In the past we have decided that, with the exception of transaction start pages, we want to allow content on GOV.UK to be iframed. Transaction start pages are exceptional because we are particularly concerned about clickjacking of the start button.
- Loading branch information
89284b0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might use
X-Frame-Options: allow-from https://www.gov.uk
(Reference) which should offer a reasonable compromise between the needs of transformation and resistance to clickjacking. Or useContent-Security-Policy: frame-ancestors ...
with the same effect. This workaround was created in 2015 and it's now 2018 andwww.gov.uk
still sets it toallowall
which, at best, looks unprofessional.89284b0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @kravietz,
Thanks for the comment. I didn't know about
allow-from
, neat 👍You might want to post this as an issue on the repo, as i'm not sure anyone else but me would be notified about this comment (and I haven't worked at GDS for almost 2 years).
Cheers,
David
89284b0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dsingleton definitely will do!