From bff6c8aafc49a3260294c3244571e3a31fd09cca Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sun, 26 Mar 2017 17:24:50 +0200 Subject: [PATCH] Move X-Frame-Options into PHP The public calendar view should be embeddable and we can't do that if the .htaccess sets a global X-Frame-Options. Signed-off-by: Lukas Reschke --- .htaccess | 1 - lib/private/legacy/response.php | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.htaccess b/.htaccess index 525ee3a0fb..7bf8759e38 100644 --- a/.htaccess +++ b/.htaccess @@ -14,7 +14,6 @@ Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" - Header set X-Frame-Options "SAMEORIGIN" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" SetEnv modHeadersAvailable true diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php index 69c84e2df6..8937b56a70 100644 --- a/lib/private/legacy/response.php +++ b/lib/private/legacy/response.php @@ -255,13 +255,13 @@ class OC_Response { . 'media-src *; ' . 'connect-src *'; header('Content-Security-Policy:' . $policy); + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains // Send fallback headers for installations that don't have the possibility to send // custom headers on the webserver side if(getenv('modHeadersAvailable') !== 'true') { header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html