Provide a mechanism for allow-listing origins which can iframe a Mesop app

[wwwillchen]

https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

API

Option 1 - configure at page-level

@me.page(path="/foo", security_policy=me.SecurityPolicy(allowed_frame_ancestors=["github.com"]))
def app():
   ...

This is nice because it's flexible.

Option 2 - configure at app-level

This could be controlled by a command-line flag or by calling a mesop API at the top-level of a program (e.g. me.register_allowed_frame_ancestors).

Thoughts

I think Option 1 is more flexible and seems more intuitive

Considerations

Default

We should eventually have the default be that there's no allowed frame ancestor (except for self, which is always permitted). However, we should have good documentation on setting this up before making this the default behavior.

Editor mode

For editor mode, we would probably always allow any frame ancestor, regardless of what's specified, because this is required for Mesop to load in Colab which will iframe Mesop in a randomly-generated origin so it's not possible to specify this ahead of time. Given that apps should never be deployed in editor mode, this seems like a reasonable choice.