/**
* Sets mandatory headers, notably for anti-clickjacking.
*/
protected void setBasicHeaders(DefDescriptor top, HttpServletRequest req, HttpServletResponse rsp) {
ContentSecurityPolicy csp = Aura.getConfigAdapter().getContentSecurityPolicy(
top == null ? null : top.getQualifiedName(), req);
if (csp != null) {
rsp.setHeader(CSP.Header.SECURE, csp.getCspHeaderValue());
Collection<String> terms = csp.getFrameAncestors();
if (terms != null) {
// not open to the world; figure whether we can express an X-FRAME-OPTIONS header:
if (terms.size() == 0) {
// closed to any framing at all
rsp.setHeader(HDR_FRAME_OPTIONS, HDR_FRAME_DENY);