[
https://issues.apache.org/jira/browse/NIFI-5366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16603698#comment-16603698
]
ASF GitHub Bot commented on NIFI-5366:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2989#discussion_r215092182
--- Diff:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
---
@@ -154,5 +154,20 @@
<artifactId>jettison</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-test</artifactId>
+ <version>5.0.6.RELEASE</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-servlet</artifactId>
--- End diff --
Let's move the non-`test` dependencies above so they are all together with
the `compile` dependencies and the `test` dependencies are together. Not a
technical necessity, but good for logical grouping and identification.
> Implement Content Security Policy frame-ancestors directive
> -----------------------------------------------------------
>
> Key: NIFI-5366
> URL: https://issues.apache.org/jira/browse/NIFI-5366
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.7.0
> Reporter: Andy LoPresto
> Assignee: Nathan Gough
> Priority: Major
> Labels: frame, header, http, security
>
> The {{X-Frame-Options}} headers [1] currently in place to prevent malicious
> framing / clickjacking [2] are superseded by and should be replaced by the
> Content Security Policy frame-ancestors [3] directive.
> [1] https://tools.ietf.org/html/rfc7034
> [2] https://en.wikipedia.org/wiki/Clickjacking
> [3]
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
