Enable `X-Frame-Options` for the WCFSetup

This has the side effect of suppressing `SameSite=none` for the cookies, which fails on insecure connections because this attribute value is valid for secure cookies only.

Resolves #4499

diff --git a/wcfsetup/install/files/lib/system/WCFSetup.class.php b/wcfsetup/install/files/lib/system/WCFSetup.class.php
index 510d3a498d7841c5f703c260d5b5725c31f752a7..1c3ca4544d0850f074db97f3a00267f317ce13cf 100644 (file)
--- a/wcfsetup/install/files/lib/system/WCFSetup.class.php
+++ b/wcfsetup/install/files/lib/system/WCFSetup.class.php
@@ -36,7 +36,7 @@ use wcf\util\XML;
 
 // define
 \define('PACKAGE_ID', 0);
-\define('HTTP_SEND_X_FRAME_OPTIONS', 0);
+\define('HTTP_SEND_X_FRAME_OPTIONS', 1);
 \define('CACHE_SOURCE_TYPE', 'disk');
 \define('MODULE_MASTER_PASSWORD', 1);
 \define('ENABLE_DEBUG_MODE', 1);