The Horizon Connection Server must enable the proper Content Security Policy directives.
The Horizon Connection Server Content Security Policy (CSP) feature mitigates a broad class of content injection vulnerabilities such as cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. The Connection Server has default CSP directives that block XSS attacks, enable x-frame restrictions and more. If the default configurations are overridden, the protections may be disabled even though the CSP itself is still enabled. This default policy must be validated and maintained over time.