From b1b989f1720e59c0877669d3908d383ff3160622 Mon Sep 17 00:00:00 2001
From: Justin Goette <53531335+jcgoette@users.noreply.github.com>
Date: Tue, 25 May 2021 07:37:08 -0400
Subject: [PATCH] Replace obsoleted X-Frame-Options with frame-ancestors (#272)

---
 src/nginxconfig/generators/conf/security.conf.js       | 1 -
 src/nginxconfig/templates/global_sections/security.vue | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/nginxconfig/generators/conf/security.conf.js b/src/nginxconfig/generators/conf/security.conf.js
index f82d1d8..3b8ef7d 100644
--- a/src/nginxconfig/generators/conf/security.conf.js
+++ b/src/nginxconfig/generators/conf/security.conf.js
@@ -30,7 +30,6 @@ export default (domains, global) => {
     const config = [];
 
     config.push(['# security headers', '']);
-    config.push(['add_header X-Frame-Options', '"SAMEORIGIN" always']);
     config.push(['add_header X-XSS-Protection', '"1; mode=block" always']);
     config.push(['add_header X-Content-Type-Options', '"nosniff" always']);
     config.push(['add_header Referrer-Policy', `"${global.security.referrerPolicy.computed}" always`]);
diff --git a/src/nginxconfig/templates/global_sections/security.vue b/src/nginxconfig/templates/global_sections/security.vue
index f3f73e3..bf233f7 100644
--- a/src/nginxconfig/templates/global_sections/security.vue
+++ b/src/nginxconfig/templates/global_sections/security.vue
@@ -161,7 +161,7 @@ THE SOFTWARE.
             enabled: true,
         },
         contentSecurityPolicy: {
-            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'',
+            default: 'default-src \'self\' http: https: data: blob: \'unsafe-inline\'; frame-ancestors \'self\';',
             enabled: true,
         },
         serverTokens: {