CNX-34045 Add outlook domain to Content-Security-Policy (#335)

HCL-TECH-SOFTWARE · Mar 29, 2024 · a8a95df · a8a95df
1 parent a30eb35
commit a8a95df
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/roles/third_party/ibm/ihs/ibm-http-httpdconf/templates/httpd.conf.j2 b/roles/third_party/ibm/ihs/ibm-http-httpdconf/templates/httpd.conf.j2
@@ -1178,6 +1178,6 @@ Header edit Set-Cookie ^(.*)$ "$1; SameSite=None;Secure"
 Header set X-content-Type-Options "nosniff"
 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
-# Apply CSP to all requests to prevent clickjacking
+# Apply CSP to all requests to prevent clickjacking. Include exceptions for teams addin and outlook addin
 Header unset Content-Security-Policy
-Header always set Content-Security-Policy "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com"
+Header always set Content-Security-Policy "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com .office365.com"