From 288f848c9c1698b77101c2869f8a490b24bef589 Mon Sep 17 00:00:00 2001
From: Oliver Christen <oliver.christen@camptocamp.com>
Date: Thu, 26 Oct 2023 15:04:33 +0200
Subject: [PATCH] Add comments to explain that frame-ancestors CSP must be
 customized in each project.

---
 .../create/{{cookiecutter.project}}/geoportal/vars.yaml      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/geoportal/c2cgeoportal_geoportal/scaffolds/create/{{cookiecutter.project}}/geoportal/vars.yaml b/geoportal/c2cgeoportal_geoportal/scaffolds/create/{{cookiecutter.project}}/geoportal/vars.yaml
index d8bc9b407e..403f6e0627 100644
--- a/geoportal/c2cgeoportal_geoportal/scaffolds/create/{{cookiecutter.project}}/geoportal/vars.yaml
+++ b/geoportal/c2cgeoportal_geoportal/scaffolds/create/{{cookiecutter.project}}/geoportal/vars.yaml
@@ -316,6 +316,11 @@ vars:
       # All versions
       arguments: *redis-cache-arguments
 
+  # This parameter set the list of hosts allowed to use the iframe api.
+  # 'self' will block all external usage, you must add additional hosts separated by space.
+  # see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+  content_security_policy_iframe_api_frame_ancestors: "'self'"
+
   # Control the HTTP headers
   headers:
     dynamic: &header {}