Change the X-Frame-Options to allow all domains
If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin).
Allowing all domains is the default. Don't set the X-Frame-Options
header at all if you want that.
Note that the successor to X-Frame-Options
— CSP's frame-ancestors
directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all.
ALLOWALL is the default value.
Sometimes frameworks MVC such as Rails, Laravel, Django and so on, set a X_FRAME_OPTIONS to SAMEORIGIN so someone might need to reset it to the origin ALLOWALL
value.