<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options nosniff
	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
	
	#Header set X-Frame-Options: "ALLOW-FROM https://static2.sharepointonline.com/" 
	#Header set X-Frame-Options: "ALLOW-FROM https://ajax.aspnetcdn.com/" 
	#Header set X-Frame-Options: "ALLOW-FROM https://appsforoffice.microsoft.com/"
	
	Header always unset X-Frame-Options
	
	#Header set X-Frame-Options: "ALLOW-FROM https://static2.sharepointonline.com, https://ajax.aspnetcdn.com, https://appsforoffice.microsoft.com"
	
	#Header always set Content-Security-Policy "default-src 'self' *.sharepointonline.com *.ajax.aspnetcdn.com *.appsforoffice.microsoft.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.sharepointonline.com *.ajax.aspnetcdn.com *.appsforoffice.microsoft.com; style-src 'self' 'unsafe-inline' *.jsdelivr.net; img-src data: *; object-src 'none'"
	#Header always set Content-Security-Policy "default-src 'self' *.sharepointonline.com *.ajax.aspnetcdn.com *.appsforoffice.microsoft.com"
	
	#Header set Content-Security-Policy "frame-src 'self' https://static2.sharepointonline.com https://ajax.aspnetcdn.com https://appsforoffice.microsoft.com" 

</IfModule>
