From 730e444bfd67beda6d874aba134e08d2191a6f69 Mon Sep 17 00:00:00 2001
From: Arlen Johnson <arlen@sphericalcowgroup.com>
Date: Thu, 2 May 2024 11:56:41 -0400
Subject: [PATCH] Add "Content-Security-Policy: frame-ancestors 'self'" to view
 headers (CO-2705) (#158)

---
 app/templates/layout/default.php | 1 +
 app/templates/layout/error.php   | 1 +
 app/templates/layout/iframe.php  | 1 +
 3 files changed, 3 insertions(+)

diff --git a/app/templates/layout/default.php b/app/templates/layout/default.php
index 4a8d32808..b46685aad 100644
--- a/app/templates/layout/default.php
+++ b/app/templates/layout/default.php
@@ -31,6 +31,7 @@
 header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
 header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
 header("Pragma: no-cache");
+header("Content-Security-Policy: frame-ancestors 'self'");
 
 // Add X-UA-Compatible header for IE
 if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
diff --git a/app/templates/layout/error.php b/app/templates/layout/error.php
index d67e68fb1..9aadeae3a 100644
--- a/app/templates/layout/error.php
+++ b/app/templates/layout/error.php
@@ -31,6 +31,7 @@
 header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
 header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
 header("Pragma: no-cache");
+header("Content-Security-Policy: frame-ancestors 'self'");
 
 // Add X-UA-Compatible header for IE
 if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {
diff --git a/app/templates/layout/iframe.php b/app/templates/layout/iframe.php
index 49155c267..8dcf36fbc 100644
--- a/app/templates/layout/iframe.php
+++ b/app/templates/layout/iframe.php
@@ -31,6 +31,7 @@
 header("Expires: Thursday, 10-Jan-69 00:00:00 GMT");
 header("Cache-Control: no-store, no-cache, max-age=0, must-revalidate");
 header("Pragma: no-cache");
+header("Content-Security-Policy: frame-ancestors 'self'");
 
 // Add X-UA-Compatible header for IE
 if(isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)) {