Review policy on iFraming on GOV.UK

[edwardhorsford]

We used to allow iFraming of pages across GOV.UK with a few exceptions (for security reasons). From memory it was limited to start pages only.

I recently tried again and have found the majority of pages are now blocked - apparently as a result of moving to government frontend.

It sounds like this wasn't a formal policy change so much as an inadvertent change. As such, I'd like to propose allowing iFrames as we previously did, except where we have good reason not to.

Alternately we should reevaluate our iFrame policy and then make changes as needed.

---

My use case:
I've used it previously for my webchat prototype, and I'd like to explore using it for the content audit tool - both are cases where it's really helpful to have a gov.uk page within an existing page. There may be workarounds, but if we don't have a good reason to block it, I suggest allowing them.

[tijmenb]

It sounds like this wasn't a formal policy change so much as an inadvertent change.

This is correct, it's a side effect of a Rails upgrade.

Some previous discussion: #392. The reason I closed that was that I don't have a good grasp of the security implications of allowing iframing.