The concern is about the XSS and Clickjacking Vulnerability as the Content Security Policy header is not implemented in IM or IP.

IM, IP 14.5.x

The IM cannot support the CSP header as part of IM v14.x due to underlying 3rd party library dependency. 

 The application has "X-Frame-Options: SAMEORIGIN" and "X-Xss-Protection: 1; mode=block" and an internal framework filter that defends XSS or Clickjacking attacks.

This is not coming up in v15, our next release. It can be considered in the subsequent releases based on the priority set by PM.

(the plan and timelines are currently unknown).