# HG changeset patch # User Kim Alvefur # Date 1624199424 -7200 # Node ID a6d1131ac833424a72543400e35370e22a6aa39f # Parent d221d764741a8a297f822671e97ba6d6ac1768df mod_http_file_share: Update comment about x-frame-options X-Frame-Options was replaced by the Content-Security-Policy 'frame-ancestors' directive, but Internet Explorer does not support that part of CSP. Since it's just one line it doesn't hurt to keep until some future spring cleaning event :) diff -r d221d764741a -r a6d1131ac833 plugins/mod_http_file_share.lua --- a/plugins/mod_http_file_share.lua Sat Jun 19 13:25:48 2021 +0200 +++ b/plugins/mod_http_file_share.lua Sun Jun 20 16:30:24 2021 +0200 @@ -404,7 +404,7 @@ response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';" response.headers.strict_transport_security = "max-age=31556952"; response.headers.x_content_type_options = "nosniff"; - response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP? + response.headers.x_frame_options = "DENY"; -- COMPAT IE missing support for CSP frame-ancestors response.headers.x_xss_protection = "1; mode=block"; return response:send_file(handle);