set x-frame policy to SAMEORIGIN. media file editor is used in an iframe. To allow this we have to set the policy to 'sameorigin'.

commit: 26d97ffdd46bedbaba576a086875678de67d0cb9 [log] [tgz]
author: Michael Bien <mbien42@gmail.com> Thu Jul 16 13:03:58 2020 +0200
committer: Michael Bien <mbien42@gmail.com> Thu Sep 17 15:52:16 2020 +0200
tree: cd26b86a59e0b35c51951ba044cec453ba45c825
parent: 8800c321a8878ef2cb006b85bd12ca5c69630706 [diff]
diff --git a/app/src/main/webapp/WEB-INF/security.xml b/app/src/main/webapp/WEB-INF/security.xml
index 99099b5..08e7c62 100644
--- a/app/src/main/webapp/WEB-INF/security.xml
+++ b/app/src/main/webapp/WEB-INF/security.xml

@@ -50,6 +50,11 @@
         
         <!-- roller already uses its own salt based CSRF protection-->
         <csrf disabled="true"/>
+        
+        <!-- some roller UI (i.e. media file editor) uses iframes -->
+        <headers>
+            <frame-options policy="SAMEORIGIN"/>
+        </headers>
     </http>
 
     <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
commit	26d97ffdd46bedbaba576a086875678de67d0cb9	[log] [tgz]
author	Michael Bien <mbien42@gmail.com>	Thu Jul 16 13:03:58 2020 +0200
committer	Michael Bien <mbien42@gmail.com>	Thu Sep 17 15:52:16 2020 +0200
tree	cd26b86a59e0b35c51951ba044cec453ba45c825
parent	8800c321a8878ef2cb006b85bd12ca5c69630706 [diff]