Alternatively, could we use the CSP frame ancestors directive to prevent iframe embeds from other domains?
