There are tseveral feature requests for adding CSP(Content Security Policy) header to the Console.

Content-Security-Policy (CSP) header provides a defense-in-depth measure in client-side security, as a second layer of protection against Cross-site Scripting (XSS) and clickjacking attacks.

Currently there are some other related security headers present in the OpenShift console that cover some aspects of CSP functionality:

• X-Frame-Options: When set to DENY, this disallows allow attempts to iframe site (related CSP directive: `frame-ancestors`)
• X-XSS-Protection: Protects against reflected XSS attacks in Chrome and Internet Explorer (related CSP directive: `unsafe-inline`)
• X-Content-Type-Options: Protects against loading of external scripts and stylesheets unless the server indicates the correct MIME type, which can lead to some types of XSS attacks.

RFEs:

• https://issues.redhat.com/browse/RFE-4735
• https://issues.redhat.com/browse/RFE-3786
• https://issues.redhat.com/browse/RFE-408

AC:

• Determine which CSP headers could be add to the console and what should be their values, in order not to break Console or plugins.
• Create a doc with the finding on which headers we will add and which not, together with reasoning.

CSP Headers docs - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP