XFRAME_OPTIONS does not work as expected.

[Jason-Daily-Dev]

What is the bug or the crash?

I need to allow pop-up windows works for wms service, which is used in arcgis online web mapping. Tried to follow the instruction to set env XFRAME_OPTIONS="false", but I still can see response header x-frame-options: SAMEORIGIN. Not sure if this env is used for this purpose, or there is any way to make x-frame-options header for one specific origin, and for any origins?

this is from the Readme: https://github.com/kartoza/docker-geoserver?tab=readme-ov-file

XFRAME_OPTIONS="true" - In order to prevent clickjacking attacks GeoServer defaults to setting the X-Frame-Options HTTP header to SAMEORIGIN. Controls whether the X-Frame-Options filter should be set at all. Default is true

Steps to reproduce the issue

1. set custom dockerfile

   
   # Use the base image
   FROM kartoza/geoserver:2.24.1

ENV XFRAME_OPTIONS=false ENV GEOSERVER_ADMIN_USER=admin ENV GEOSERVER_ADMIN_PASSWORD=geoserver

EXPOSE 8080

2. build and run docker container.

3. try curl
`curl -v http://localhost:8080/geoserver/web`

4. still get response header with `x-frame-options: SAMEORIGIN`.

### Versions

About GeoServer
General information about GeoServer

Build Information
GeoServer Version
2.24.1
Git Revision
aa9710bac2c7c96e9132cc23cbf7d219e79723df
Build Date
25-Nov-2023 01:32
GeoTools Version
30.1 (rev f5888e5f560e7cd0f94c00d3083106281c7e9ff6)
GeoWebCache Version
1.24.1 (rev 1.24.x/c91bab60325f2deed55c2e1b71441156e6814146)

### Additional context

_No response_

[NyakudyaA]

Please check documentation properly https://docs.geoserver.org/latest/en/user/production/config.html#x-frame-options-policy