Add CSP frame-ancestors, make X-Frame-Options conditional (#977)

The X-Frame-Options header has been obsoleted by the frame-ancestors
directive. Retain the X-Frame-Options header for older browsers.

Return empty X-Frame-Options header for WordPress Customizer content
to prevent the conflict that SAMEORIGIN would have with the ALLOW-FROM
option that WordPress adds on its own (Safari browser).
Discussion in https://core.trac.wordpress.org/ticket/40020

CHANGELOG.md

@@ -1,4 +1,5 @@
 ### HEAD
+* Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977))
 * Common: Install `git` instead of `git-core`  ([#989](https://github.com/roots/trellis/pull/989))
 * Add `xdebug.remote_autostart` to simplify xdebug sessions  ([#985](https://github.com/roots/trellis/pull/985))
 * Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980))

roles/nginx/templates/h5bp/directive-only/extra-security.conf

@@ -1,6 +1,6 @@
 # The X-Frame-Options header indicates whether a browser should be allowed
 # to render a page within a frame or iframe.
-add_header X-Frame-Options SAMEORIGIN always;
+# add_header X-Frame-Options SAMEORIGIN always;
 
 # MIME type sniffing security protection
 #	There are very few edge cases where you wouldn't want this enabled.

roles/wordpress-setup/templates/wordpress-site.conf.j2

@@ -161,6 +161,20 @@ server {
 
   {% endblock %}
 
+  {% block embed_security -%}
+  {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%}
+  add_header Content-Security-Policy "frame-ancestors 'self'" always;
+
+  # Conditional X-Frame-Options until https://core.trac.wordpress.org/ticket/40020 is resolved
+  set $x_frame_options SAMEORIGIN;
+  if ($arg_customize_changeset_uuid) {
+    set $x_frame_options "";
+  }
+  add_header X-Frame-Options $x_frame_options always;
+
+  {% endif -%}
+  {% endblock -%}
+
   {% block location_php -%}
   location ~ \.php$ {
     {% block location_php_basic -%}