From c626bd1ea2b51d8eed9787e9f701613a5887279a Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Wed, 19 Feb 2025 10:56:13 -0600
Subject: [PATCH] ops: Remove old X-Frame-Options HTTP header

---
 production/nginx/server-common.conf | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/production/nginx/server-common.conf b/production/nginx/server-common.conf
index 9a2a582c0..5a0b17b4e 100644
--- a/production/nginx/server-common.conf
+++ b/production/nginx/server-common.conf
@@ -8,33 +8,28 @@ add_header Onion-Location http://$onion.onion$request_uri;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 
 # generate frame configuration from origin header
-if ($frameOptions = '')
+if ($contentSecurityPolicy = '')
 {
-	set $frameOptions "DENY";
-	set $contentSecurityPolicy "frame-ancestors 'none'";
+	set $contentSecurityPolicy "frame-ancestors 'self'";
 }
 
 # used for iframes on https://mempool.space/network
 if ($http_referer ~ ^https://mempool.space/)
 {
-	set $frameOptions "ALLOW-FROM https://mempool.space";
 	set $contentSecurityPolicy "frame-ancestors https://mempool.space";
 }
 # used for iframes on https://mempool.ninja/network
 if ($http_referer ~ ^https://mempool.ninja/)
 {
-	set $frameOptions "ALLOW-FROM https://mempool.ninja";
 	set $contentSecurityPolicy "frame-ancestors https://mempool.ninja";
 }
 # used for iframes on https://wiz.biz/bitcoin/nodes
 if ($http_referer ~ ^https://wiz.biz/)
 {
-	set $frameOptions "ALLOW-FROM https://wiz.biz";
 	set $contentSecurityPolicy "frame-ancestors https://wiz.biz";
 }
 
 # restrict usage of frames
-add_header X-Frame-Options $frameOptions;
 add_header Content-Security-Policy $contentSecurityPolicy;
 
 # enable browser and proxy caching