Replace obsoleted X-Frame-Options with frame-ancestors (digitalocean#272

)
ChenJinluo · May 25, 2021 · b1b989f · b1b989f
1 parent c261892
commit b1b989f
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 2 deletions.
diff --git a/src/nginxconfig/generators/conf/security.conf.js b/src/nginxconfig/generators/conf/security.conf.js
@@ -30,7 +30,6 @@ export default (domains, global) => {
     const config = [];
 
     config.push(['# security headers', '']);
-    config.push(['add_header X-Frame-Options', '"SAMEORIGIN" always']);
     config.push(['add_header X-XSS-Protection', '"1; mode=block" always']);
     config.push(['add_header X-Content-Type-Options', '"nosniff" always']);
     config.push(['add_header Referrer-Policy', `"${global.security.referrerPolicy.computed}" always`]);

diff --git a/src/nginxconfig/templates/global_sections/security.vue b/src/nginxconfig/templates/global_sections/security.vue
@@ -161,7 +161,7 @@ THE SOFTWARE.
             enabled: true,
         },
         contentSecurityPolicy: {
-            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'',
+            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'; frame-ancestors \'self\';',
             enabled: true,
         },
         serverTokens: {