duplicated CSP frame-ancestors policy

[wkloucek]

Describe the bug

On the root path of oCIS, we get two content-security-policy headers. One has a static frame-ancestors 'self' config

Steps to reproduce

1. run oCIS 6.3.0 eg. in Kubernetes using the development-install deployment example
2. open oCIS, eg https://ocis.kube.owncloud.test/ after opening the network console
3. Look at the request to https://ocis.kube.owncloud.test/

Expected behavior

Have one header content-security-policy reflecting my oCIS csp configuration.

Actual behavior

Further context

The second header seems to be statically set to frame-ancestors 'self' and always there, even if I have a more sophisticated CSP config

[wkloucek]

This additional header probably originates here:

ocis/services/web/pkg/middleware/silentrefresh.go

Lines 7 to 13 in a7a10f8

	// SilentRefresh allows the oidc client lib to silently refresh the token in an iframe
	func SilentRefresh(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'")
	next.ServeHTTP(w, r)
	})
	}

[wkloucek]

And what it actually does: it takes precedence over the frame-ancestors policy in the first header...