diff --git a/www/checkup/main.js b/www/checkup/main.js
index 143d1709b..f4a40d11e 100644
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@@ -732,7 +732,6 @@ define([
         cb(isHTTPS(trimmedUnsafe) && isHTTPS(trimmedSafe));
     });
 
-
     [
         'sheet',
         'presentation',
@@ -787,7 +786,7 @@ define([
                     " header. This information can make it easier for attackers to find and exploit known vulnerabilities. ",
                 ];
 
-                if (family === 'NGINX') { // XXX incorrect instructions for HTTP2. needs a recompile?
+                if (family === 'NGINX') { // FIXME incorrect instructions for HTTP2. needs a recompile?
                     msg.appendChild(h('span', text.concat([
                         "This can be addressed by setting ",
                         code("server_tokens off"),
diff --git a/www/convert/inner.js b/www/convert/inner.js
index 4952b2d6e..cdcf745ca 100644
--- a/www/convert/inner.js
+++ b/www/convert/inner.js
@@ -48,7 +48,6 @@ define([
         debug("x2t mount done");
     };
     var getX2t = function (cb) {
-        // XXX require http headers on firefox...
         require(['/common/onlyoffice/x2t/x2t.js'], function() { // FIXME why does this fail without an access-control-allow-origin header?
             var x2t = window.Module;
             x2t.run();