Fix X-Frame-Options Header to embed same-origin resources

[ridoo]

settings.py sets X_FRAME_OPIONS=DENY by default. Upstream "fixes" this by overriding the setting in its sample.env. However, if not set explicitly, the DENY option will be set and embedded documents are blocked by the browser to be displayed:

Solution:

Add X_FRAME_OPIONS=SAMEORIGIN to the settings_override.py.

/cc @gannebamm

[gannebamm]

You can also just place it explicitly in .env which is IMHO a bit easier.

[ridoo]

The setup keeps it as this:

• .env for environment specific settings
• settings.py (which becomes settings_override.py in the container -- I should rename the file btw) for setup specific settings

I added the option to the settings.py rather than .env, as X_FRAME_OPTIONS should always to be set to sameorigin.