We just landed support for CSP frame-ancestors
directive. It’s disabled by default for now behind the content security policy frame ancestors
site setting. You can add domains to the list using via /admin/customize/embedding
as always.
This directive will be enabled by default in the next release cycle.