aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2021-06-20 16:30:24 +0200
committerKim Alvefur <zash@zash.se>2021-06-20 16:30:24 +0200
commit1904899421263d198abe4002d9a2c49c86866f20 (patch)
tree7577d3f7e1e7be54ff91380f409ab7bb652158fd /plugins
parent8277dab49e2d5cf9b5a64986af2326ddc42a68b3 (diff)
downloadprosody-1904899421263d198abe4002d9a2c49c86866f20.tar.gz
prosody-1904899421263d198abe4002d9a2c49c86866f20.zip
mod_http_file_share: Update comment about x-frame-options
X-Frame-Options was replaced by the Content-Security-Policy 'frame-ancestors' directive, but Internet Explorer does not support that part of CSP. Since it's just one line it doesn't hurt to keep until some future spring cleaning event :)
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_http_file_share.lua2
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index d609b781..03274120 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -404,7 +404,7 @@ function handle_download(event, path) -- GET /uploads/:slot+filename
response.headers.content_security_policy = "default-src 'none'; frame-ancestors 'none';"
response.headers.strict_transport_security = "max-age=31556952";
response.headers.x_content_type_options = "nosniff";
- response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+ response.headers.x_frame_options = "DENY"; -- COMPAT IE missing support for CSP frame-ancestors
response.headers.x_xss_protection = "1; mode=block";
return response:send_file(handle);