do not set response header X-Frame-Options for S3 requests (#5838)

This change removes the X-Frame-Options header - It should
not be set for S3 requests since it can break CORS.

Fixes #5813
master
Andreas Auernhammer 7 years ago committed by Harshavardhana
parent 9ebb72aa99
commit 5a16671f72
  1. 1
      cmd/generic-handlers.go

@ -648,7 +648,6 @@ func addSecurityHeaders(h http.Handler) http.Handler {
func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (s securityHeaderHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
header := w.Header() header := w.Header()
header.Set("X-XSS-Protection", "\"1; mode=block\"") // Prevents against XSS attacks header.Set("X-XSS-Protection", "\"1; mode=block\"") // Prevents against XSS attacks
header.Set("X-Frame-Options", "SAMEORIGIN") // Prevents against Clickjacking
header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content) header.Set("Content-Security-Policy", "block-all-mixed-content") // prevent mixed (HTTP / HTTPS content)
s.handler.ServeHTTP(w, r) s.handler.ServeHTTP(w, r)
} }

Loading…
Cancel
Save