You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Any website on the listed.to domain and all listed.to custom domains return multiple x-frame-options headers. They're also both different (sameorigin and deny). Browsers don't expect multiple x-frame-options headers and this results in undefined behavior. You should only send a single x-frame-options header.
To Reproduce
Steps to reproduce the behavior:
Go to listed.to
Look at the HTTP headers
More X-Content-Type-Options is also doubled up, but contains the same content both times. Could still confuse some browsers and should be avoided. Also you probably don't want to send X-Powered-By and Server headers in production.
The text was updated successfully, but these errors were encountered:
ghost
assigned 
Describe the bug
Any website on the listed.to domain and all listed.to custom domains return multiple x-frame-options headers. They're also both different (sameorigin and deny). Browsers don't expect multiple x-frame-options headers and this results in undefined behavior. You should only send a single x-frame-options header.
To Reproduce
Steps to reproduce the behavior:
More
X-Content-Type-Options is also doubled up, but contains the same content both times. Could still confuse some browsers and should be avoided. Also you probably don't want to send X-Powered-By and Server headers in production.
The text was updated successfully, but these errors were encountered: