The concern is about the XSS and Clickjacking Vulnerability as the Content Security Policy header is not implemented in IM or IP.
IM, IP
Identity Manager or Identity Portal implements the required headers "X-Frame-Options: SAMEORIGIN, X-Xss-Protection: 1; mode=block" and an internal framework filter that strongly defend from XSS or Clickjacking attacks.