Enable `X-Frame-Options` for the WCFSetup

This has the side effect of suppressing `SameSite=none` for the cookies, which fails on insecure connections because this attribute value is valid for secure cookies only.

Resolves #4499
Follow up for 2a9d48c4badc4de2e0f2d2fc73c3af2bee39cce8

diff --git a/wcfsetup/install/files/options.inc.php b/wcfsetup/install/files/options.inc.php
index e5a7210d9b90dcc7f80d557689c230667395b1d8..edfa6df09147c6721ba2d6b44f098c9fad4c5724 100644 (file)
--- a/wcfsetup/install/files/options.inc.php
+++ b/wcfsetup/install/files/options.inc.php
@@ -22,7 +22,7 @@ if (\file_exists(WCF_DIR . 'cookiePrefix.txt')) {
 \define('COOKIE_PATH', '');
 \define('COOKIE_DOMAIN', '');
 
-\define('HTTP_SEND_X_FRAME_OPTIONS', 0);
+\define('HTTP_SEND_X_FRAME_OPTIONS', 1);
 
 \define('BLACKLIST_IP_ADDRESSES', '');
 \define('BLACKLIST_USER_AGENTS', '');