Modifying settings for X-Frame-Options and Content Security Policy

  1. Double-click the grid on the left pane of LifeCycle Manager.
  2. Click Grid Properties.
  3. Under Grid HTTP Configuration, specify this information:
    Content Security Policy Frame Ancestors Enabled
    Set this to true to set a Content-Security-Policy frame-ancestors directive in HTTP responses.
    Content Security Policy Frame Ancestors
    This property is applicable only if Content Security Policy Frame Ancestors Enabled is set to true. This property specifies which origins should be included as allowed frame ancestors for the content returned by HTTP responses. Origins consist of protocol, host name, and port.

    For this setting to work with Mingle, make sure to include the host where Mingle is installed in the list. Example: https://{mingle-hostname}:{mingle-port}.

    X-Frame-Options
    Set this to true to set an X-Frame-Options DENY security header in HTTP responses, unless the origin of the request is included in the X-Frame-Options Allow From Origin Whitelist
    X-Frame-Options Allow From Origin Whitelist
    This property is applicable only if X-Frame-Options is set to true. This property specifies which origins should be allowed to embed returned content in an HTML5 iframe element. Origins consist of protocol, host name, and port.

    For this setting to work with Mingle, make sure to include the host where Mingle is installed in the list. Example: https://{mingle-hostname}:{mingle-port}.

    Note:  The values in the whitelist must exactly match the origin of the request, as specified in the query parameter named 'xfo' or the cookie named Grid-XFO.