Summary
Clickjacking protection has been implemented using CSP (frame-ancestors) and X-Frame-Options, but the current approach does not support OED’s expected use case of embedding charts in external web pages.
To fully resolve this, OED needs a way to configure trusted framing origins through Admin Settings rather than relying on environment variables.
Background
A strict configuration such as:
frame-ancestors ‘self’
protects against clickjacking but can break legitimate functionality, such as embedding charts via OED-generated links.
A prototype solution was explored in PR #1595 using environment variables (OED_TRUSTED_FRAME_ANCESTORS), but this approach is not suitable for OED because:
• Environment variables are intended for startup configuration only
• Trusted origins may need to change at runtime
• Admins should be able to manage this through the UI
Problem
Without configurable trusted origins:
• Strict CSP breaks chart embedding
• Relaxed CSP weakens clickjacking protection
• There is no flexible, secure balance between the two
Proposed Solution
Implement admin-configurable trusted origins through OED’s existing Admin Settings / Site Settings system.
Suggested approach:
• Store trusted origins in the database
• Allow admins to add/remove origins via Admin Settings
• Load these values server-side when constructing CSP headers
• Default to secure behavior ('self') when no origins are configured
Goal
Provide a secure, flexible solution that:
• Prevents clickjacking attacks
• Preserves OED chart embedding functionality
• Aligns with OED architecture and runtime configuration model
Summary
Clickjacking protection has been implemented using CSP (frame-ancestors) and X-Frame-Options, but the current approach does not support OED’s expected use case of embedding charts in external web pages.
To fully resolve this, OED needs a way to configure trusted framing origins through Admin Settings rather than relying on environment variables.
Background
A strict configuration such as:
frame-ancestors ‘self’
protects against clickjacking but can break legitimate functionality, such as embedding charts via OED-generated links.
A prototype solution was explored in PR #1595 using environment variables (OED_TRUSTED_FRAME_ANCESTORS), but this approach is not suitable for OED because:
• Environment variables are intended for startup configuration only
• Trusted origins may need to change at runtime
• Admins should be able to manage this through the UI
Problem
Without configurable trusted origins:
• Strict CSP breaks chart embedding
• Relaxed CSP weakens clickjacking protection
• There is no flexible, secure balance between the two
Proposed Solution
Implement admin-configurable trusted origins through OED’s existing Admin Settings / Site Settings system.
Suggested approach:
• Store trusted origins in the database
• Allow admins to add/remove origins via Admin Settings
• Load these values server-side when constructing CSP headers
• Default to secure behavior ('self') when no origins are configured
Goal
Provide a secure, flexible solution that:
• Prevents clickjacking attacks
• Preserves OED chart embedding functionality
• Aligns with OED architecture and runtime configuration model