thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r251139976
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/ContentSecurityPolicyFilter.java
##########
@@ -28,7 +28,7 @@
import javax.servlet.FilterConfig;
/**
- * A filter to apply the Content Security Policy (which supersedes the
X-Frame-Options header).
+ * A filter to apply the Content Security Policy header.
*
*/
public class ContentSecurityPolicyFilter implements Filter {
Review comment:
We can apply the `default-src 'self'` directive but it also requires adding
`'unsafe-inline'`, otherwise our many inline scripts will be blocked by
default. They're already allowed anyway, so I guess there's no problem with
this.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
