Replace obsoleted X-Frame-Options with frame-ancestors (#272)

2025-11-04 09:26:11 +08:00 · 2021-05-25 07:37:08 -04:00
parent c261892de4
commit b1b989f172
2 changed files with 1 additions and 2 deletions
--- a/src/nginxconfig/generators/conf/security.conf.js
+++ b/src/nginxconfig/generators/conf/security.conf.js
@@ -30,7 +30,6 @@ export default (domains, global) => {
    const config = [];

    config.push(['# security headers', '']);
-    config.push(['add_header X-Frame-Options', '"SAMEORIGIN" always']);
    config.push(['add_header X-XSS-Protection', '"1; mode=block" always']);
    config.push(['add_header X-Content-Type-Options', '"nosniff" always']);
    config.push(['add_header Referrer-Policy', `"${global.security.referrerPolicy.computed}" always`]);
--- a/src/nginxconfig/templates/global_sections/security.vue
+++ b/src/nginxconfig/templates/global_sections/security.vue
@@ -161,7 +161,7 @@ THE SOFTWARE.
            enabled: true,
        },
        contentSecurityPolicy: {
-            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'',
+            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'; frame-ancestors \'self\';',
            enabled: true,
        },
        serverTokens: {