Flukso website: X-Frame-Options

In the http headers of the http://flusko.net requests the header X-Frame-Options is set to DENY.
This causes the image upload popup in the forum to fail to display on modern browser, and disables the on-the-fly attachment processing.

I think they should be considered to be turned off for at least the /img_assist/ and /upload/ html resources.

In nginx this is possible with

location ~* ^/(img_assist/.*|upload/.*)$ {
add_header X-Frame-Options "SAMEORIGIN";

Validate the exact security and performance implications for yourself please!

The more refined successor is the frame ancesotrs directive (https://www.w3.org/TR/CSP2/#directive-frame-ancestors)