[stable18] Fix security header setting in .htaccess by adding 'onsuccess unset'

.htaccess

@@ -11,13 +11,30 @@
 
   <IfModule mod_env.c>
     # Add security and privacy related headers
+
+    # Avoid doubled headers by unsetting headers in "onsuccess" table,
+    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
+    Header onsuccess unset Referrer-Policy
     Header always set Referrer-Policy "no-referrer"
+
+    Header onsuccess unset X-Content-Type-Options
     Header always set X-Content-Type-Options "nosniff"
+
+    Header onsuccess unset X-Download-Options
     Header always set X-Download-Options "noopen"
+
+    Header onsuccess unset X-Frame-Options
     Header always set X-Frame-Options "SAMEORIGIN"
+
+    Header onsuccess unset X-Permitted-Cross-Domain-Policies
     Header always set X-Permitted-Cross-Domain-Policies "none"
+
+    Header onsuccess unset X-Robots-Tag
     Header always set X-Robots-Tag "none"
+
+    Header onsuccess unset X-XSS-Protection
     Header always set X-XSS-Protection "1; mode=block"
+
     SetEnv modHeadersAvailable true
   </IfModule>