feature: configure CORS/allow loading website as an iframe for gnosis safe apps

[mmv08]

Is your feature request related to a problem? Please describe. A follow up on: https://github.com/yearn/yearn-finance/pull/400 The Safe wallet needs to be able to access https://yearn.finance/manifest.json but it's currently not possible because CORS is not configured. The Wallet also loads the apps as an iframe but currently, the server doesn't allow to do that

Describe the solution you'd like

• Include the following headers for manifest.json

  "Access-Control-Allow-Origin": "*",
  "Access-Control-Allow-Methods": "GET",
  "Access-Control-Allow-Headers": "X-Requested-With, content-type, Authorization",

  The PR included that but it doesn't seem to work.

• Allow the website to be loaded as an iframe Use Content-Security-Policy header instead of x-frame-options, with this header you can specify domains to allow the website to be loaded as an iframe, for example:

  content-security-policy: frame-ancestors https://gnosis-safe.io;

Additional context

[ghost]

@mikheevm I've added the header you suggested to yearn.dev. Currently x-frame-options is in-tact. Does that need to change as well? If I remove x-frame-options does that mean anyone can load yearn.finance in an iframe? If so that is undesirable. I've reached out to you in discord, please @ me or ping me there so we can debug together when you get a moment. Thanks!

[ghost]

Marking this as resolved as @mikheevm has confirmed that this is working as expected now.