From ba97b9d2fd9ae3ba27f9fb59ff6f6028f661cdf7 Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Mon, 9 Oct 2023 12:34:04 +0100
Subject: [PATCH 1/2] Allow gov.uk domains to embed pages

We initially added the strict and OWASP recommended 'none' directive based on
the assumption that only side-by-side-browser tool (retired in November 2022)
was preventing us from implementing it.

However some other internal GOV.UK apps use iframes:
- Search Admin
    - Best bets (queries)
    - External links (recommended-links)
- Content Publisher (Preview feature)

This policy will still ensure sufficient security yet will allow internal
GOV.UK domains to embed pages.  It's added to the global base policy because
given the number of frontend application it may be difficult to predict which
frontend app renders the page that we want to iframe. It will reduce the need
to apply a CSP modification in individual apps.
---
 lib/govuk_app_config/govuk_content_security_policy.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/govuk_app_config/govuk_content_security_policy.rb b/lib/govuk_app_config/govuk_content_security_policy.rb
index fa5473f..68eb016 100644
--- a/lib/govuk_app_config/govuk_content_security_policy.rb
+++ b/lib/govuk_app_config/govuk_content_security_policy.rb
@@ -80,10 +80,10 @@ def self.build_policy(policy)
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
     policy.frame_src :self, *GOVUK_DOMAINS, "www.youtube.com", "www.youtube-nocookie.com" # Allow youtube embeds
 
-    # Disallow any domain from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
+    # Disallow non-gov.uk domains from embeding a page using <frame>, <iframe>, <object>, or <embed> to prevent clickjacking
     #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
-    policy.frame_ancestors :none
+    policy.frame_ancestors :self, *GOVUK_DOMAINS
 
     policy.report_uri ENV["GOVUK_CSP_REPORT_URI"] if ENV.include?("GOVUK_CSP_REPORT_URI")
   end

From 08d598a5df90976a433ecd5f353bf4b997179356 Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Mon, 9 Oct 2023 12:40:26 +0100
Subject: [PATCH 2/2] Release 9.5.0

---
 CHANGELOG.md                    | 4 ++++
 lib/govuk_app_config/version.rb | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ad4a31a..aed6de2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 9.5.0
+
+* Allow gov.uk domains to embed pages in the global Content Security Policy ([#325](https://github.com/alphagov/govuk_app_config/pull/325))
+
 # 9.4.0
 
 * Disallow any domain from embeding a page to prevent clickjacking ([#322](https://github.com/alphagov/govuk_app_config/pull/322))
diff --git a/lib/govuk_app_config/version.rb b/lib/govuk_app_config/version.rb
index e761483..6fdaffc 100644
--- a/lib/govuk_app_config/version.rb
+++ b/lib/govuk_app_config/version.rb
@@ -1,3 +1,3 @@
 module GovukAppConfig
-  VERSION = "9.4.0".freeze
+  VERSION = "9.5.0".freeze
 end