[Bug]: X-Frame-Options is obsoleted by CSP frame-ancestors and is not checked in security overview

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

X-Frame-Options has been obsoleted by Content-Security-Policy's frame-ancestors directive and the security check should pass if either are present, instead of just checking X-Frame-Options. Documentation and the server scanner may also need to be updated if this change is made.

Steps to reproduce

Set header Content-Security-Policy: frame-ancestors 'self' https://somesite.com
Visit the server security overview page or test the server with the server scanner
Receive warning about X-Frame-Options

Expected behavior

Only show warning if both X-Frame-Options and Content-Security-Policy are missing, potentially encourage users to include CSP frame-ancestors instead of/and replace SAMEORIGIN.

Installation method

No response

Operating system

No response

PHP engine version

No response

Web server

No response

Database engine version

No response

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

[ ] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

No response

List of activated Apps

unnecessary

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

nextcloud / server