diff --git a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
index 8dc9bac392eac15ca673acab3b507e6851e8814f..6fc54a38c00f23ce78f265a8906462d2a5325714 100644
--- a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
@@ -123,8 +123,10 @@ public function onRespond(ResponseEvent $event) {
// different from the declared content-type, since that can lead to
// XSS and other vulnerabilities.
// https://owasp.org/www-project-secure-headers
- $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
- $response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);
+ $response->headers->set('X-Content-Type-Options', 'nosniff');
+ if (!$response->headers->has('X-Frame-Options')) {
+ $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
+ }
// If the current response isn't an implementation of the
// CacheableResponseInterface, we assume that a Response is either
diff --git a/core/tests/Drupal/BuildTests/Composer/Template/ComposerProjectTemplatesTest.php b/core/tests/Drupal/BuildTests/Composer/Template/ComposerProjectTemplatesTest.php
index 23d0dbbf68e698e07d161f0d3438a491a8aa042c..9fb7fd7804b6b8d66e9634e019d7317a5763ef6c 100644
--- a/core/tests/Drupal/BuildTests/Composer/Template/ComposerProjectTemplatesTest.php
+++ b/core/tests/Drupal/BuildTests/Composer/Template/ComposerProjectTemplatesTest.php
@@ -30,9 +30,12 @@ class ComposerProjectTemplatesTest extends ComposerBuildTestBase {
/**
* The minimum stability requirement for dependencies.
*
+ * @todo Temporarily changing to 'beta' to allow php-tuf/composer-stager
+ * dependency. This will be done in https://drupal.org/i/3331078.
+ *
* @see https://getcomposer.org/doc/04-schema.md#minimum-stability
*/
- protected const MINIMUM_STABILITY = 'stable';
+ protected const MINIMUM_STABILITY = 'beta';
/**
* The order of stability strings from least stable to most stable.