CSP: a note about frame-ancestors

[532910]

frame-ancestors directive is not supported in the element.
Should readme add a note for adding it on the web-server side for increasing security level?

[t3chguy]

Should readme add a note for adding it on the web-server side for increasing security level?

Whether or not a riot instance is framable is up to the instance, some want it as a form of integration. Thus leaving it down to X-Frame-Options seems sane.

[532910]

Whether or not a riot instance is framable is up to the instance, some want it as a form of integration.

Sure!

Thus leaving it down to X-Frame-Options seems sane.

frame-ancestors obsoletes X-Frame-Options
It doesn't matter as this is an HTTP server setting, not riot-web. I meant to add a note into README.md about it.

[t3chguy]

I mean sure, but that's just Web Hosting 101. We don't currently seem to have anything about the use of X-Framing-Options

[532910]

I'm about instructions for sefl-hosted riot-web, not about riot.im instance.