Option to disable no iframe header policy

[abcbarryn]

There should be an option to set a Content-Security-Policy header to allow embedding from specified URLS.

Alternative to X-Frame-Options: Content Security Policy (CSP) While X-Frame-Options is a simple and effective solution, it's somewhat limited. The modern and more flexible alternative is the Content Security Policy (CSP) with the frame-ancestors directive, which offers better control and granularity.

[abcbarryn]

Also, if the CUPS server is only being bound to an internal network IP, the risk is minimal anyway. Just leave the default as it is and put the appropriate warnings/instructions in the documentation.