Consider supporting removal of X-Frame-Options header in iframe brick

[twschiller]

Some pages can't be embedded in the iframe brick because of the X-Frame-Options in their header.

We could support removing these out via the web request API to allow any page to be embedded: https://stackoverflow.com/a/15534822/402560

Considerations:

• Including webRequest permission will require people to re-active PixieBrix on the next update
• May also need to modify sec-fetch-dest on the request
• PixieBrix needs permission to the host of the iframe in order to be able to edit the requests/responses, so include the host in the permissions grant check
• Only one extension can edit headers
• In the future, if we're building a dnd interface for the main editor outside the dev tools, we'll like need to do this anyway in order to embed an arbitrary page in an iframe for editing using the dnd interface

Security considerations:

• https://javascript.info/clickjacking
• Should limit the header editing to frames/tabs where we know it's the PixieBrix panel embedding it

[fregante]

Should we add the permission to optional_permissions instead?

[twschiller]

IIRC, in Manifest v2 it can't be marked as optional. In v3 declarativeNetRequest is mandatory:

https://developer.chrome.com/docs/extensions/reference/permissions/#step-2-declare-optional-permissions-in-the-manifest