Allow iFrame embedding for shared things (calendars etc.)

[tzugen]

Right now a Content-Security-Policy is set on all requests. This prevents for example a shared calendar to be embedded on a different site.

FR: Add an option to allow iFrame embedding of shared entries.