Hmm, that’s the header on the query as done by the service worker. I would expect that this does not apply to the resource as loaded via the service worker. But I am just optimistically guessing.
I assume this header is set by the boundary nodes (if only we had the source…), and not by the canister itself or the service worker. Maybe a Web technology expert can advise us about the interplay of that header and service workers.
Ah, when you open an URL like https://identity.ic0.app/ without the service worker installed, the boundary node’s response (the one that installs the service worker) sets x-frame-options: DENY.
So yes, the boundary node need to change to allow the Internet Identity (or any other canister-hosted frontend!) to be embedded as an iframe.