We noticed that the “Clickjacking Protections for Looker Login Pages” option when enabled sets the X-Frame-Options header to SAMEORIGIN on the Login page, which is great.
Using WebInspect to perform a vulnerability scan, however, points out that not all browsers support the X-Frame-Options header, so the Login page is still susceptible to Cross Frame Scripting/Clickjacking attacks.
This response while protected by a valid X-Frame-Options does not contain a valid Content-Security-Policy(CSP) frame-ancestors directive. Consider adding CSP as it now replaces X-Frame-Options and is supported in most modern browsers.
It specifically recommends using both an X-Frame-Options header and a Content Security Policy to provide the broadest browser coverage.
Are there any plans to introduce a Content Security Policy?