Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS and add false option

[silverwind]

The value of X-Frame-Options was previously in the cors section but it's in fact entirely unrelated to CORS but a separate security-related option which should be in the security section.

Additionally I've added a special value false, that if set will not add the header at all, e.g. the "insecure" variant.

I don't expect much breakage from this because the only other valid value is DENY and people who wanted to remove the header would have likely done so at load-balancer level because gitea previously did not allow to unset the header at all.

⚠️ BREAKING ⚠️

The cors.X_FRAME_OPTIONS setting has been moved to security.X_FRAME_OPTIONS. If you had customized this setting, please move it to the security section.

[silverwind]

BTW, the reason I investigated this is to set a default CSP header. CSP does include a frame-ancestors directive that obsoletes X-Frame-Options, so I guess we could avoid double breaking changes by moving the option to CSP in this PR with a option like security.CSP_FRAME_ANCHESTORS.

[silverwind]

I guess it's alright to merge this as-is. If we introduce CSP later, we can change the default of this value to false. CSP is a bigger topic that I want to do in a separate PR.

[lunny]

Maybe we should have a warning if we detect the old value and have some warning on the admin panel.

[silverwind]

Maybe we should have a warning if we detect the old value and have some warning on the admin panel.

Should be possible. Any pointers where this warning code is?

[lunny]

You can use deprecatedSetting function, you can search the code and find some examples.