On hosts with wagtail admin enabled set frame-ancestors 'self'

alexgibson · Jan 9, 2025 · ca9bc7b · ca9bc7b
1 parent 4be9180
commit ca9bc7b
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/bedrock/settings/__init__.py b/bedrock/settings/__init__.py
@@ -96,6 +96,11 @@
     _csp_child_src = list(set(_csp_child_src + csp_extra_frame_src))
 csp_report_uri = config("CSP_REPORT_URI", default="") or None
 csp_ro_report_uri = config("CSP_RO_REPORT_URI", default="") or None
+# On hosts with wagtail admin enabled, we need to allow the admin to frame itself for previews.
+if WAGTAIL_ENABLE_ADMIN:
+    _csp_frame_ancestors = [csp.constants.SELF]
+else:
+    _csp_frame_ancestors = [csp.constants.NONE]
 
 CONTENT_SECURITY_POLICY = {
     # Default report percentage to 1% just in case the env var isn't set, we don't want to bombard Sentry.
@@ -110,7 +115,7 @@
         "connect-src": list(set(_csp_default_src + _csp_connect_src)),
         # support older browsers (mainly Safari)
         "frame-src": _csp_child_src,
-        "frame-ancestors": [csp.constants.NONE],
+        "frame-ancestors": _csp_frame_ancestors,
         "upgrade-insecure-requests": False if DEBUG else True,
         "report-uri": csp_report_uri,
     },