diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2017-03-26 17:24:50 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2017-03-26 17:26:11 +0200 |
commit | bff6c8aafc49a3260294c3244571e3a31fd09cca (patch) | |
tree | 63478f0cffe1a9bf4e8e119c5c5286bd8a6b1a6c | |
parent | ec6853a2a65c284af08f0241699f227516f25464 (diff) | |
download | nextcloud-server-bff6c8aafc49a3260294c3244571e3a31fd09cca.tar.gz nextcloud-server-bff6c8aafc49a3260294c3244571e3a31fd09cca.zip |
Move X-Frame-Options into PHP
The public calendar view should be embeddable and we can't do that if the .htaccess sets a global X-Frame-Options.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
-rw-r--r-- | .htaccess | 1 | ||||
-rw-r--r-- | lib/private/legacy/response.php | 2 |
2 files changed, 1 insertions, 2 deletions
diff --git a/.htaccess b/.htaccess index 525ee3a0fb6..7bf8759e383 100644 --- a/.htaccess +++ b/.htaccess @@ -14,7 +14,6 @@ Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Robots-Tag "none" - Header set X-Frame-Options "SAMEORIGIN" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" SetEnv modHeadersAvailable true diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php index 69c84e2df68..8937b56a707 100644 --- a/lib/private/legacy/response.php +++ b/lib/private/legacy/response.php @@ -255,13 +255,13 @@ class OC_Response { . 'media-src *; ' . 'connect-src *'; header('Content-Security-Policy:' . $policy); + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains // Send fallback headers for installations that don't have the possibility to send // custom headers on the webserver side if(getenv('modHeadersAvailable') !== 'true') { header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html |