In addition to providing finer grained options than X-Frame-Options a Content-Security-Policy will also improve the security of OMERO.web by reducing the risk of cross-site-scripting attacks, or injection of other unwanted content. I think we should deprecate X-Frame-Options and enable Content-Security-Policy by default

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/cors-white-listing/29457/12

X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.

Just looked at https://caniuse.com/x-frame-options which says that only IE 6-7 and Opera Mini don't support X-frame-options. This is 1.34 % of global usage, but will be even less likely to include any webclient users since we haven't supported IE for some time.

Just curious is there has been any update on this?

No update I'm afraid, but thanks for raising it.
We need to decide on the best way to produce a CSP configuration that is suitable "out of the box" for most users, while also being sufficiently configurable for others, depending on their needs.
E.g. We don't want to add an omero config for every one of the policies at https://django-csp.readthedocs.io/en/latest/configuration.html

cc @knabar

If the goal is to support all the options, I'm right now leaning towards a single omero.config setting that takes JSON with any or all of the available django-csp settings as desired. Regarding what the defaults should be, are there policies where the given defaults are not acceptable for the standard install?