szeidler/EmbedSubscriber.php

## EmbedSubscriber.php
<?php

// REMOVE ME: Place in /web/modules/custom/mymodule/src/EventSubscriber/EmbedSubscriber.php

namespace Drupal\mymodule_embed\EventSubscriber;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;

class EmbedSubscriber implements EventSubscriberInterface {

  /**
   * {@inheritdoc}
   */
  static function getSubscribedEvents() {
    $events[KernelEvents::RESPONSE][] = ['onRespond'];
    return $events;
  }

  /**
   * Removes the X-Frame-Options http header for specific URIs.
   *
   * Used to allow iframe embeds and prevent same origin
   * policy problems in the browser.
   *
   * @param FilterResponseEvent $event
   */
  public function onRespond(FilterResponseEvent $event) {
    $response = $event->getResponse();
    $whitelistedUris = ['/path1whitelist', '/path2whitelist'];
    if (in_array($event->getRequest()->getRequestUri(), whitelistedUris)) {
      $response->headers->remove('X-Frame-Options');
    }
  }
}

## mymodule_embed.info.yml
name: Mymodule Embed
description: Whitelists specific pages to be possible to embed as an iframe.
package: Custom
type: module
core_version_requirement: ^8 || ^9

## mymodule_embed.services.yml
services:
  mymodule_embed:
    class: '\Drupal\mymodule_embed\EventSubscriber\EmbedSubscriber'
    tags:
      - { name: 'event_subscriber' }
	<?php

	// REMOVE ME: Place in /web/modules/custom/mymodule/src/EventSubscriber/EmbedSubscriber.php

	namespace Drupal\mymodule_embed\EventSubscriber;

	use Symfony\Component\EventDispatcher\EventSubscriberInterface;
	use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
	use Symfony\Component\HttpKernel\KernelEvents;

	class EmbedSubscriber implements EventSubscriberInterface {

	/**
	* {@inheritdoc}
	*/
	static function getSubscribedEvents() {
	$events[KernelEvents::RESPONSE][] = ['onRespond'];
	return $events;
	}

	/**
	* Removes the X-Frame-Options http header for specific URIs.
	*
	* Used to allow iframe embeds and prevent same origin
	* policy problems in the browser.
	*
	* @param FilterResponseEvent $event
	*/
	public function onRespond(FilterResponseEvent $event) {
	$response = $event->getResponse();
	$whitelistedUris = ['/path1whitelist', '/path2whitelist'];
	if (in_array($event->getRequest()->getRequestUri(), whitelistedUris)) {
	$response->headers->remove('X-Frame-Options');
	}
	}
	}
	name: Mymodule Embed
	description: Whitelists specific pages to be possible to embed as an iframe.
	package: Custom
	type: module
	core_version_requirement: ^8 \|\| ^9
	services:
	mymodule_embed:
	class: '\Drupal\mymodule_embed\EventSubscriber\EmbedSubscriber'
	tags:
	- { name: 'event_subscriber' }