generate x-frame-options and csp equivalent (GoogleChrome#5826)

* generate x-frame-options and csp equivalent

* remove colon

Co-authored-by: Adam Raine <[email protected]>

Co-authored-by: Adam Raine <[email protected]>

Author: samthor

firebase-config.js

@@ -27,8 +27,13 @@ if (process.env.ELEVENTY_ENV === 'prod') {
     value:
       `script-src 'strict-dynamic' ${hashList.join(' ')} ` +
       `'unsafe-inline' http: https:; object-src 'none'; base-uri 'self'; ` +
+      `frame-ancestors 'self'; ` +
       `report-uri https://csp.withgoogle.com/csp/webdev`,
   });
+  firebaseJson.hosting.headers[0].headers.push({
+    key: 'X-Frame-Options',
+    value: 'SAMEORIGIN',
+  });
 }
 
 fs.writeFileSync('./firebase.json', JSON.stringify(firebaseJson, null, 2));