[ https://issues.apache.org/jira/browse/NIFI-5366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16599008#comment-16599008 ]
Andy LoPresto commented on NIFI-5366: ------------------------------------- I'd read [this StackOverflow answer|https://stackoverflow.com/a/40417609/70465] to see how they interact. It appears that the {{frame-ancestors}} CSP obsoletes the {{X-Frame-Options}} header, but some legacy browsers rely on the header. > Implement Content Security Policy frame-ancestors directive > ----------------------------------------------------------- > > Key: NIFI-5366 > URL: https://issues.apache.org/jira/browse/NIFI-5366 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Affects Versions: 1.7.0 > Reporter: Andy LoPresto > Assignee: Nathan Gough > Priority: Major > Labels: frame, header, http, security > > The {{X-Frame-Options}} headers [1] currently in place to prevent malicious > framing / clickjacking [2] are superseded by and should be replaced by the > Content Security Policy frame-ancestors [3] directive. > [1] https://tools.ietf.org/html/rfc7034 > [2] https://en.wikipedia.org/wiki/Clickjacking > [3] > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors -- This message was sent by Atlassian JIRA (v7.6.3#76005)