From bd85ff25df951126afe2c8ae3b3c5bce8e60fbbe Mon Sep 17 00:00:00 2001
From: Kyle Kelley <rgbkrk@gmail.com>
Date: Sat, 22 Nov 2014 22:40:30 -0600
Subject: [PATCH] Restrict frame-ancestors to 'self' in CSP

---
 IPython/html/base/handlers.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/IPython/html/base/handlers.py b/IPython/html/base/handlers.py
index c4da28c37..005c61a46 100644
--- a/IPython/html/base/handlers.py
+++ b/IPython/html/base/handlers.py
@@ -48,10 +48,9 @@ class AuthenticatedHandler(web.RequestHandler):
         headers = self.settings.get('headers', {})
 
         if "Content-Security-Policy" not in headers:
-            headers["Content-Security-Policy"] = ""
+            headers["Content-Security-Policy"] = "frame-ancestors 'self'"
 
         if "Content-Security-Policy-Report-Only" not in headers:
-
             reporter_policy = ("default-src 'self'; " +
                                "report-uri " + url_path_join(self.base_url, csp_report_uri) + 
                                ";"