Remove X-Frame-Options in favor of CSP frame-ancestors

Change-Id: I23a54a25cab8ec532618c82a403802ef2c9224b8
diff --git a/Changes b/Changes
index 8dc9a86..71820b5 100755
--- a/Changes
+++ b/Changes
@@ -6,6 +6,8 @@
           response.
         - Added utility funcition to menu that gets all direct
           childNodes by a tag. Used in menu-style specs. (lerepp)
+        - Remove 'X-Frame-Options' in favor of 'frame-ancestors'
+          as a CSP rule.
 
 0.42 2021-06-18
         - Added GitHub based CI for perl.
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 4f619a6..fd8fe69 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -137,7 +137,6 @@
     before_dispatch => sub {
       my $h = shift->res->headers;
       $h->header('X-Content-Type-Options' => 'nosniff');
-      $h->header('X-Frame-Options' => 'sameorigin');
       $h->header('X-XSS-Protection' => '1; mode=block');
       $h->header(
         'Access-Control-Allow-Methods' =>
@@ -197,6 +196,7 @@
     'script-src'  => ['self','sha256-VGXK99kFz+zmAQ0kxgleFrBWZgybFAPOl3GQtS7FQkI='],
     'connect-src' => 'self',
     'frame-src'   => '*',
+    'frame-ancestors' => 'self',
     'media-src'   => 'none',
     'object-src'  => 'self',
     'font-src'    => 'self',
diff --git a/t/page.t b/t/page.t
index 9146c0f..0be13c8 100644
--- a/t/page.t
+++ b/t/page.t
@@ -29,11 +29,11 @@
   ->header_like('Content-Security-Policy', qr!media-src 'none';!)
   ->header_like('Content-Security-Policy', qr!object-src 'self';!)
   ->header_like('Content-Security-Policy', qr!nonce-!)
+  ->header_like('Content-Security-Policy', qr!frame-ancestors 'self';!)
   ->content_like(qr/<script nonce/)
   ->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
   ->header_is('X-Content-Type-Options', 'nosniff')
   ->header_is('Access-Control-Allow-Methods','GET, POST, OPTIONS')
-  ->header_is('X-Frame-Options', 'sameorigin')
   ->header_is('X-XSS-Protection', '1; mode=block')
   ;