CAE HTTP security now supports configuration of the Content-Security-Policy response header via cae.http-headers.csp.directives. It has been set to a same-origin-only policy as recommended by the OWASP CSP cheat sheet. The Spring dev profile configures report-only mode for Live CAE and disables CSP for the Preview CAE.

Additionally, for HTTP requests to the Live CAE, the X-XSS-Protection response header has been disabled. Even though setting the X-XSS-Protection response header can protect users of older web browsers that don't yet support CSP, in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. Therefore, it is recommended to use the Content-Security-Policy without allowing unsafe-inline scripts instead. For further information, see X-XSS-Protection in Mozilla Developer Resources and OWASP Content Security Policy Cheat Sheet.

(CMS-23644)