From 1904899421263d198abe4002d9a2c49c86866f20 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 20 Jun 2021 16:30:24 +0200
Subject: mod_http_file_share: Update comment about x-frame-options

X-Frame-Options was replaced by the Content-Security-Policy
'frame-ancestors' directive, but Internet Explorer does not support that
part of CSP.

Since it's just one line it doesn't hurt to keep until some future
spring cleaning event :)
---
 plugins/mod_http_file_share.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index d609b781..03274120 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -404,7 +404,7 @@ function handle_download(event, path) -- GET /uploads/:slot+filename
 	response.headers.content_security_policy =  "default-src 'none'; frame-ancestors 'none';"
 	response.headers.strict_transport_security = "max-age=31556952";
 	response.headers.x_content_type_options = "nosniff";
-	response.headers.x_frame_options = "DENY"; -- replaced by frame-ancestors in CSP?
+	response.headers.x_frame_options = "DENY"; -- COMPAT IE missing support for CSP frame-ancestors
 	response.headers.x_xss_protection = "1; mode=block";
 
 	return response:send_file(handle);
-- 
cgit v1.2.3