Remove X-Frame-Options in favor of CSP frame-ancestors
Change-Id: I23a54a25cab8ec532618c82a403802ef2c9224b8
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 4f619a6..fd8fe69 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -137,7 +137,6 @@
before_dispatch => sub {
my $h = shift->res->headers;
$h->header('X-Content-Type-Options' => 'nosniff');
- $h->header('X-Frame-Options' => 'sameorigin');
$h->header('X-XSS-Protection' => '1; mode=block');
$h->header(
'Access-Control-Allow-Methods' =>
@@ -197,6 +196,7 @@
'script-src' => ['self','sha256-VGXK99kFz+zmAQ0kxgleFrBWZgybFAPOl3GQtS7FQkI='],
'connect-src' => 'self',
'frame-src' => '*',
+ 'frame-ancestors' => 'self',
'media-src' => 'none',
'object-src' => 'self',
'font-src' => 'self',