Remove X-Frame-Options in favor of CSP frame-ancestors
Change-Id: I23a54a25cab8ec532618c82a403802ef2c9224b8
diff --git a/Changes b/Changes
index 8dc9a86..71820b5 100755
--- a/Changes
+++ b/Changes
@@ -6,6 +6,8 @@
response.
- Added utility funcition to menu that gets all direct
childNodes by a tag. Used in menu-style specs. (lerepp)
+ - Remove 'X-Frame-Options' in favor of 'frame-ancestors'
+ as a CSP rule.
0.42 2021-06-18
- Added GitHub based CI for perl.
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 4f619a6..fd8fe69 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -137,7 +137,6 @@
before_dispatch => sub {
my $h = shift->res->headers;
$h->header('X-Content-Type-Options' => 'nosniff');
- $h->header('X-Frame-Options' => 'sameorigin');
$h->header('X-XSS-Protection' => '1; mode=block');
$h->header(
'Access-Control-Allow-Methods' =>
@@ -197,6 +196,7 @@
'script-src' => ['self','sha256-VGXK99kFz+zmAQ0kxgleFrBWZgybFAPOl3GQtS7FQkI='],
'connect-src' => 'self',
'frame-src' => '*',
+ 'frame-ancestors' => 'self',
'media-src' => 'none',
'object-src' => 'self',
'font-src' => 'self',
diff --git a/t/page.t b/t/page.t
index 9146c0f..0be13c8 100644
--- a/t/page.t
+++ b/t/page.t
@@ -29,11 +29,11 @@
->header_like('Content-Security-Policy', qr!media-src 'none';!)
->header_like('Content-Security-Policy', qr!object-src 'self';!)
->header_like('Content-Security-Policy', qr!nonce-!)
+ ->header_like('Content-Security-Policy', qr!frame-ancestors 'self';!)
->content_like(qr/<script nonce/)
->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
->header_is('X-Content-Type-Options', 'nosniff')
->header_is('Access-Control-Allow-Methods','GET, POST, OPTIONS')
- ->header_is('X-Frame-Options', 'sameorigin')
->header_is('X-XSS-Protection', '1; mode=block')
;