Improve CSP config

# Why are we doing this?

🧵 [thread](https://bennettoxford.slack.com/archives/C058N7P4T2S/p1774021275131109?thread_ts=1774002239.431149&cid=C058N7P4T2S)

# How will we know when it's done?

Our CSP is even stronger than it is now.

# What are we doing?

Following Suzanne's suggestions to make some easy improvements to the CSP settings, without making wider changes to the site.

CSP suggestions from [Mozilla's guide](https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP): 

- [ ] Add object-src 'none' to block legacy `<object>` and `<embed>` elements
- [ ] Add base-uri 'none' to block `<base>` elements that would change the hostname of relative links.


She also made this suggestion from [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html), but it may have issues with the outputs viewer:
- Add frame-ancestors 'none' or frame-ancestors 'self'  to prevent [clickjacking](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Clickjacking) through embedding the site in an iframe (though probably not necessary because job-server sets the x-frame-options: SAMEORIGIN header)

---

[Defining delivery tasks guidance](https://bennett.wiki/tech-group/delivery-process/task-definition/)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve CSP config #5724

Why are we doing this?

How will we know when it's done?

What are we doing?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Improve CSP config #5724

Description

Why are we doing this?

How will we know when it's done?

What are we doing?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions