[
https://issues.apache.org/jira/browse/NIFI-15738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18067761#comment-18067761
]
David Handermann commented on NIFI-15738:
-----------------------------------------
[~tahanaqvi] This issue is lacking details on the security concern related to
the Content-Security-Policy header. If there is a security issue, please
contact [email protected] for initial review and the Project Management
Committee will work with you to evaluate the potential problem.
> Content Security Policy is configured in the insecure manner
> ------------------------------------------------------------
>
> Key: NIFI-15738
> URL: https://issues.apache.org/jira/browse/NIFI-15738
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Security
> Affects Versions: 2.5.0
> Reporter: Taha Naqvi
> Priority: Major
> Labels: NiFi
>
> Content Security Policy is configured in the insecure manner. Insecurely
> configured Content Security Policy (CSP) does not protect the application
> against potential client-side threats and can expose it to the attacks,
> including Cross-Site Scripting (XSS), Cross-Frame Scripting (XFS,
> Clickjacking) and Cross-Site Request Forgery (CSRF).
>
> Hosts allowlist can be frequently bypassed , `strict-dynamic` should be used
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
