MashZone NextGen Content Security Policy

Most modern browsers such as Microsoft Edge, Chrome, Firefox and Safari check for the newer Content-Security-Policy HTTP header instead of X-Frame-Options. Within the MashZone NextGen web.xml file is a second HTTP filter class that sends the HTTP Header Content-Security-Policy. This filter is configured by default to send the value frame-ancestors 'self' which is equivalent to SAMEORIGIN in that it instructs the browser to only allow iFrame if the iFrame is already in the originating website.

The Content-Security-Policy is not supported by Microsoft Internet Explorer.

ContentSecurityPolicy

<filter> <!-- Allows setting of HTTP header Content-Security-Policy http://www.w3.org/TR/CSP2/ To prevent clickjacking attacks default is "frame-ancestors 'self'" which disallows external iframing of MzNG content. To allow additional websites to iframe MzNG content, add the site Uri after 'self'. For example: "frame-ancestors http://*.example.com/ 'self'" https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ Content-Security-Policy/frame-ancestors --> <filter-name>Content Security Policy</filter-name> <filter-class>com.jackbe.jbp.sas.security.ui.http.ContentSecurityPolicyFilter</ filter-class> <init-param> <param-name>policy</param-name> <param-value>frame-ancestors 'self'</param-value> </init-param> </filter> <filter-mapping> <filter-name>Content Security Policy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>