PLANET-5897 Allow embedding Planet4 content into third party websites

[stduerre]

We have cases in GP Switzerland where we would like to embed content from our Planet4 website into third party websites. For example:

• Petitions we run directly on Planet4 into partner websites
• Other forms for paid promotions on local news sites

At the moment, NGINX is set up to send a x-frame-options: SAMEORIGIN header (related config), which prohibits other pages (on different domains) to embed our content.

Suggested solution: Set the header from Wordpress instead of NGINX and provide a filter to remove it from certain pages. Alternatively, if we only want to allow embedding for certain trusted 3rd party domains only, there's a way to do that: instead of only removing the x-frame-options, a list of trusted domains to embed our content could be added through a Content-Security-Policy: frame-ancestors <source>; header (more info).

[oekeur]

GP Netherlands would also really like this! Our use case is for use in cross-domain cookies. We have two domains in use (greenpeace.nl & greenpeace.org/nl). By embedding an (lightweight) iframe of the domain A into domain B, we are able to exchange the cookies consent. Currently this only works one-way, if we would be able to embed Planet4 into our other domain, we would have to show less cookie notices, reuslting in a better UX.

Having an option to filter the x-frame option and setting a domain in the CSP header, would be awesome!