set x-frame policy to SAMEORIGIN.
media file editor is used in an iframe. To allow this we have to set the policy to 'sameorigin'.
diff --git a/app/src/main/webapp/WEB-INF/security.xml b/app/src/main/webapp/WEB-INF/security.xml
index 99099b5..08e7c62 100644
--- a/app/src/main/webapp/WEB-INF/security.xml
+++ b/app/src/main/webapp/WEB-INF/security.xml
@@ -50,6 +50,11 @@
<!-- roller already uses its own salt based CSRF protection-->
<csrf disabled="true"/>
+
+ <!-- some roller UI (i.e. media file editor) uses iframes -->
+ <headers>
+ <frame-options policy="SAMEORIGIN"/>
+ </headers>
</http>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">