From bf0cc89323d0247a1d333602ec17a5387c9f3106 Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Mon, 12 Aug 2024 16:57:05 +0300 Subject: [PATCH] Add Content-Security-Policy header to nginx config --- .../nginx/templates/edx/app/nginx/sites-available/lms.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 index f159b9e5cad..cb5fe33d3de 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 @@ -121,6 +121,11 @@ error_page {{ k }} {{ v }}; # prevent the browser from doing MIME-type sniffing add_header X-Content-Type-Options nosniff; + {% if EDXAPP_LMS_IFRAME_ENABLED %} + # Allow iFrame for the provided hosts + add_header Content-Security-Policy "frame-ancestors 'self' {{ EDXAPP_LMS_FRAME-ANCESTORS }}"; + {% endif %} + # Prevent invalid display courseware in IE 10+ with high privacy settings add_header P3P '{{ NGINX_P3P_MESSAGE }}';