mod_http_file_share: Update comment about x-frame-options

X-Frame-Options was replaced by the Content-Security-Policy 'frame-ancestors' directive, but Internet Explorer does not support that part of CSP. Since it's just one line it doesn't hurt to keep until some future spring cleaning event :)
author: Kim Alvefur <zash@zash.se> 2021-06-20 16:30:24 +0200
committer: Kim Alvefur <zash@zash.se> 2021-06-20 16:30:24 +0200
commit: 1904899421263d198abe4002d9a2c49c86866f20 (patch)
tree: 7577d3f7e1e7be54ff91380f409ab7bb652158fd /plugins/mod_http_file_share.lua
parent: 8277dab49e2d5cf9b5a64986af2326ddc42a68b3 (diff)
download: prosody-1904899421263d198abe4002d9a2c49c86866f20.tar.gz
prosody-1904899421263d198abe4002d9a2c49c86866f20.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index d609b781..03274120 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -404,7 +404,7 @@ function handle_download(event, path) -- GET /uploads/:slot+filename
 	response.headers.content_security_policy =  "default-src 'none'; frame-ancestors 'none';"
 	response.headers.strict_transport_security = "max-age=31556952";
 	response.headers.x_content_type_options = "nosniff";
-	response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+	response.headers.x_frame_options = "DENY"; -- COMPAT IE missing support for CSP frame-ancestors
 	response.headers.x_xss_protection = "1; mode=block";
 
 	return response:send_file(handle);
author	Kim Alvefur <zash@zash.se>	2021-06-20 16:30:24 +0200
committer	Kim Alvefur <zash@zash.se>	2021-06-20 16:30:24 +0200
commit	1904899421263d198abe4002d9a2c49c86866f20 (patch)
tree	7577d3f7e1e7be54ff91380f409ab7bb652158fd /plugins/mod_http_file_share.lua
parent	8277dab49e2d5cf9b5a64986af2326ddc42a68b3 (diff)
download	prosody-1904899421263d198abe4002d9a2c49c86866f20.tar.gz prosody-1904899421263d198abe4002d9a2c49c86866f20.zip