Secure headers fix for elfinder and tinymce.

Signed-off-by: Joshua Parker <joshua@joshuaparker.dev>

Author: nomadicjosh

config/headers.php

@@ -416,16 +416,17 @@
 
             'self' => true,
 
+            'data' => true,
+
             'report-sample' => false,
 
             'allow' => [
                 'gravatar.com',
                 'www.gravatar.com',
-                'cdnjs.cloudflare.com/',
+                'cdnjs.cloudflare.com',
             ],
 
             'schemes' => [
-                'data:',
                 'http:',
                 'https:',
             ],
@@ -518,6 +519,21 @@
             'unsafe-inline' => true,
         ],
 
+        'frame-src' => [
+            'none' => false,
+            'self' => true,
+            'allow' => [
+                'cdnjs.cloudflare.com',
+            ],
+
+            'data' => true,
+
+            'schemes' => [
+                'http:',
+                'https:',
+            ],
+        ],
+
         'style-src' => [
             'none' => false,