Definition

Currently, there's no way to modify the content-security-policy header besides:

• the default value that Atlassian has set frame-ancestors 'self'
• or to exempt certain pages or disable the protection entirely.
  See https://confluence.atlassian.com/jirakb/security-headers-in-jira-939919914.html/.

However, there is no way to provide a different configuration for that header. For example, a user may prefer to have:

frame-ancestors 'self' https://trusteddomain.com

This will allow users to exempt applink URLs for instance from these checks as trusted domains. Useful for embedding gadgets, pages etc from one Atlassian Application to the other.

Suggestion

Provide more configuration options for this header. At least provide a way to specify trusted domains from which the Jira web page can be framed.

Workaround

Use a web-server like Apache, Nginx etc as a reverse proxy and then use the header re-write features of the proxy to add these headers.