It seems the server configuration for X-Frame-Options is now set to SAMEORIGIN, but I didn't make any change to cause this. As of a few weeks ago, I could embed within an iFrame successfully. We are hosted in OutSystems, and it seems this change may have been made during the upgrade to v11. I need to embed part of the OutSystems app in an iFrame, so for now this isn't possible. Can I modify this setting somehow?
I tried using HttpRequestHeaders to add a directive, but then there are two headers and an error is created: "Refused to display '***' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('allow-from https://www.***.com, SAMEORIGIN'). Falling back to 'deny'."