This was intentionally introduced via NIFI-3907  in Apache NiFi 1.3.0 as a mitigation for CVE-2017-7667 . Prior to this change, a malicious site could have displayed the NiFi UI and introduced invisible overlays such that an unsuspecting user would perform actions like entering sensitive credentials into a malicious form field. See here  and here  for further information on Cross Frame Scripting / Clickjacking, as the attack is called.
If you have some kind of enterprise portal and have a legitimate need to display a NiFi UI within a frame that is not hosted on the same origin, you can resort to modifying the value provided to the response header in the filter here . If you need this as an included feature in NiFi (for example, a configurable URI in nifi.properties), I suggest raising a Jira ticket, but I have to caution that it would be a low priority, as this actively weakens the security of the system and is not a common use case.
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69