X-Frame-Options ALLOWALL directive set
Content-Security-Policy header without frame-ancestors