Notebook iframe embedding is broken because of modern browser updates

[cconcannon]

• Sourcegraph version: all versions
• Platform information: modern versions of Safari and Firefox

Steps to reproduce:

1. embed a notebook iframe in a web page
2. access the page using Safari or Firefox

Expected behavior:

The notebook iframe renders and shows the notebook content

Actual behavior:

The iframe does not render notebook content because the browser does not send the Sourcegraph cookie when requesting the notebook. The Sourcegraph server responds to the unauthenticated request with headers that look like this:

HTTP/2 302 
date: Tue, 16 May 2023 19:00:04 GMT
content-type: text/html; charset=utf-8
cache-control: no-cache, max-age=0
location: /sign-in?returnTo=%2Fembed%2Fnotebooks%2FTm90ZWJvb2s6Njc%3D
vary: Authorization
vary: Cookie
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
via: 1.1 google
cf-cache-status: DYNAMIC
strict-transport-security: max-age=31536000; includeSubDomains; preload
server: cloudflare
cf-ray: 7c85dc8629e9cf35-SJC

The browser handling of the x-frame-options: DENY header is different in Safari vs. Firefox, but both result in an unintended user experience.

[cconcannon]

I made a PR to our docs to clarify the known limitations. https://github.com/sourcegraph/sourcegraph/pull/52200