• X-Frame-Options ALLOWALL directive set
  • Content-Security-Policy header without frame-ancestors