Content Security Policy

We noticed that the “Clickjacking Protections for Looker Login Pages” option when enabled sets the X-Frame-Options header to SAMEORIGIN on the Login page, which is great.

Using WebInspect to perform a vulnerability scan, however, points out that not all browsers support the X-Frame-Options header, so the Login page is still susceptible to Cross Frame Scripting/Clickjacking attacks.

This response while protected by a valid X-Frame-Options does not contain a valid Content-Security-Policy(CSP) frame-ancestors directive. Consider adding CSP as it now replaces X-Frame-Options and is supported in most modern browsers.

It specifically recommends using both an X-Frame-Options header and a Content Security Policy to provide the broadest browser coverage.

Are there any plans to introduce a Content Security Policy?

Hi @cole.elliott,

The X-Frame-Options: deny and X-Frame-Options: sameorigin are both supported by all major browsers while the X-Frame-Options: allow-from https://domain.tld/ header is only supported by some major browsers. (Source)

Having said that, we had internal conversations to investigate incorporating Content-Security-Policy into the Looker application as an additional security control but unfortunately CSP is not on the roadmap at this time.

1 Like

Thanks for your response @maanul.shrivastava and for sharing that info