Currently we are applying X-Frame-Options: SAMEORIGIN to all requests. To override this, users have the option of presenting their own Content-Security-Policy: frame-ancestors setting with laxer requirements. I want to lock this down further, but with an escape hatch. We will continue to apply X-Frame-Options: SAMEORIGIN to all requests, but we will also apply Content-Security-Policy: frame-ancestors 'self'. The escape hatch however will be that both of these are only applied if the backend does not supply it's own values for these headers. Additionally, the frame-ancestors options should be seeded with the values for all "sibling services", i.e. any service hosted on the same container.
Currently we are applying
X-Frame-Options: SAMEORIGINto all requests. To override this, users have the option of presenting their ownContent-Security-Policy: frame-ancestorssetting with laxer requirements. I want to lock this down further, but with an escape hatch. We will continue to applyX-Frame-Options: SAMEORIGINto all requests, but we will also applyContent-Security-Policy: frame-ancestors 'self'. The escape hatch however will be that both of these are only applied if the backend does not supply it's own values for these headers. Additionally, theframe-ancestorsoptions should be seeded with the values for all "sibling services", i.e. any service hosted on the same container.