From 5a16671f721f4e8f320bc25f60ce4e601ab544e3 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <aead@mail.de>
Date: Thu, 19 Apr 2018 20:46:37 +0200
Subject: [PATCH] do not set response header X-Frame-Options for S3 requests
 (#5838)

This change removes the X-Frame-Options header - It should
not be set for S3 requests since it can break CORS.

Fixes #5813
---
 cmd/generic-handlers.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cmd/generic-handlers.go b/cmd/generic-handlers.go
index 8f5b20701..ea9ad4c60 100644
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@@ -648,7 +648,6 @@ func addSecurityHeaders(h http.Handler) http.Handler {
 func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	header := w.Header()
 	header.Set("X-XSS-Protection", "\"1; mode=block\"")              // Prevents against XSS attacks
-	header.Set("X-Frame-Options", "SAMEORIGIN")                      // Prevents against Clickjacking
 	header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
 	s.handler.ServeHTTP(w, r)
 }