Configuration for applying HTTP Security Headers, here: X_FRAME_OPTIONS and CONTENT_SECURITY_POLICY which may prevent
clickjacking attacks but also blocks resources to be embedded in iframes (etc). This could be not desired, e.g.
by issue collector.
Clickjacking protection can be disabled by setting system property
to "true".
One can exclude paths from clickjacking protection in two ways.
Either way, a path will be matched against all requests, whose path starts with any of the provided path (by means of
String.startsWith(String)
).
A path comprises of servlet path and path info, if available.
Firstly, there is a `<clickjacking-http-headers-excluded-paths>` plugin module descriptor, which can be add to `atlassian-plugin.xml`.
Use `<path>...</path>` elements in order to declare paths.
Secondly, one can specify a -separated list of paths in system property.