Configuration for applying HTTP Security Headers, here: X_FRAME_OPTIONS and CONTENT_SECURITY_POLICY which may prevent
clickjacking attacks but also blocks resources to be embedded in iframes (etc). This could be not desired, e.g.
by issue collector.
Clickjacking protection can be disabled by setting system property
to "true".
One can specify a -separated list of paths to exclude from clickjacking protection.
It will be matched against all requests, whose path starts with any of the provided path (by means of
String.startsWith(String)
).
Use system property to set the list.
A path comprises of servlet path and path info, if available.
Config will be updated at run-time when any of the following event is triggered:
- JiraStartedEvent
- PluginEnabledEvent
- PluginDisabledEvent