Just to clarify what is happening here, we ship a header with Discourse called:
X-Frame-Options: SAMEORIGIN
This stops sites adding yours site as an IFRAME which is a filthy SEO trick some people do to steal page rank and causes overall levels of confusion and do nasty things like clickjacking:
What I strongly support adding to Discourse is some ability to customize this header:
This particular request does not come up too often, but I do support amending it. It is a bit of a tricky change cause we do need some defense in depth here, some of our assets are delivered not via the app and we can not swap in the magic value there.