[ https://issues.apache.org/jira/browse/NIFI-5366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605105#comment-16605105 ]
ASF subversion and git services commented on NIFI-5366: ------------------------------------------------------- Commit fc1461298a0a137d0fae3cd3b494fc6dec25070a in nifi's branch refs/heads/master from thenatog [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=fc14612 ] NIFI-5366 - Added ContentSecurityPolicyFilter which stops framing of NiFi resources. It applies the Content-Security-Policy header. This protects against clickjacking. NIFI-5366 - Added unit test. Added single quotes around 'self' for frame-ancestors CSP header. NIFI-5366 - Fixed dependencies. This closes #2989. Signed-off-by: Andy LoPresto <alopre...@apache.org> > Implement Content Security Policy frame-ancestors directive > ----------------------------------------------------------- > > Key: NIFI-5366 > URL: https://issues.apache.org/jira/browse/NIFI-5366 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Affects Versions: 1.7.0 > Reporter: Andy LoPresto > Assignee: Nathan Gough > Priority: Major > Labels: frame, header, http, security > > The {{X-Frame-Options}} headers [1] currently in place to prevent malicious > framing / clickjacking [2] are superseded by and should be replaced by the > Content Security Policy frame-ancestors [3] directive. > [1] https://tools.ietf.org/html/rfc7034 > [2] https://en.wikipedia.org/wiki/Clickjacking > [3] > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors -- This message was sent by Atlassian JIRA (v7.6.3#76005)