do not set response header X-Frame-Options for S3 requests (#5838)

This change removes the X-Frame-Options header - It should not be set for S3 requests since it can break CORS. Fixes #5813
7 years ago · 5a16671f72
parent 9ebb72aa99
commit 5a16671f72
1 changed files with 0 additions and 1 deletions
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@ -648,7 +648,6 @@ func addSecurityHeaders(h http.Handler) http.Handler {
 func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	header := w.Header()
 	header.Set("X-XSS-Protection", "\"1; mode=block\"")              // Prevents against XSS attacks
-	header.Set("X-Frame-Options", "SAMEORIGIN")                      // Prevents against Clickjacking
 	header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
 	s.handler.ServeHTTP(w, r)
 }