Created attachment 1220 [details] Nessus screenshot Nessus is at it again and complains if a web server doesn't set X-Frame-Options or Content-Security-Policy. This provides protection against clickjacking on sites that maintain a login (e.g. using session cookies). Since we don't maintain logins, there is nothing to protect in ThinLinc by adding these. But users still want to avoid having warnings from Nessus, so it would be good if we could include those headers.
Note that adding such headers would prevent embedding Web Access or Web Admin, so we need to consider bug 5231 and bug 8191 as well.