do not set response header X-Frame-Options for S3 requests (#5838)

This change removes the X-Frame-Options header - It should
not be set for S3 requests since it can break CORS.

Fixes #5813
This commit is contained in:
Andreas Auernhammer 2018-04-19 20:46:37 +02:00 committed by Harshavardhana
parent 9ebb72aa99
commit 5a16671f72

View File

@ -648,7 +648,6 @@ func addSecurityHeaders(h http.Handler) http.Handler {
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
header := w.Header()
header.Set("X-XSS-Protection", "\"1; mode=block\"") // Prevents against XSS attacks
header.Set("X-Frame-Options", "SAMEORIGIN") // Prevents against Clickjacking
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
s.handler.ServeHTTP(w, r)
}