ops: Remove old X-Frame-Options HTTP header

production/nginx/server-common.conf

@@ -8,33 +8,28 @@ add_header Onion-Location http://$onion.onion$request_uri;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 
 # generate frame configuration from origin header
-if ($frameOptions = '')
+if ($contentSecurityPolicy = '')
 {
-	set $frameOptions "DENY";
+	set $contentSecurityPolicy "frame-ancestors 'self'";
-	set $contentSecurityPolicy "frame-ancestors 'none'";
 }
 
 # used for iframes on https://mempool.space/network
 if ($http_referer ~ ^https://mempool.space/)
 {
-	set $frameOptions "ALLOW-FROM https://mempool.space";
 	set $contentSecurityPolicy "frame-ancestors https://mempool.space";
 }
 # used for iframes on https://mempool.ninja/network
 if ($http_referer ~ ^https://mempool.ninja/)
 {
-	set $frameOptions "ALLOW-FROM https://mempool.ninja";
 	set $contentSecurityPolicy "frame-ancestors https://mempool.ninja";
 }
 # used for iframes on https://wiz.biz/bitcoin/nodes
 if ($http_referer ~ ^https://wiz.biz/)
 {
-	set $frameOptions "ALLOW-FROM https://wiz.biz";
 	set $contentSecurityPolicy "frame-ancestors https://wiz.biz";
 }
 
 # restrict usage of frames
-add_header X-Frame-Options $frameOptions;
 add_header Content-Security-Policy $contentSecurityPolicy;
 
 # enable browser and proxy caching