frameAncestors = array_map(function ($source) { return preg_replace('~^(self|none)$~', "'$1'", $source); }, $frameAncestors); if (in_array("'none'", $this->frameAncestors)) { $this->frameAncestors = []; } } public function sendHeaders() { // Note: Do not unset X-Frame-Options if ancestors list contains only URL pages without 'self' source. // It would lower the security on old browsers without Content-Security-Policy support. if (in_array("'self'", $this->frameAncestors)) { header("X-Frame-Options: SAMEORIGIN"); } return null; } public function updateCspHeader(array &$csp) { if ($this->frameAncestors) { $current = isset($csp["frame-ancestors"]) ? $csp["frame-ancestors"] . " " : ""; $csp["frame-ancestors"] = $current . implode(" ", $this->frameAncestors); } return null; } public function printToHead() { if (!$this->frameAncestors) { return null; } ?>