Server:
HTTP/1.1 200 OK Server: Apache X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-WebKit-CSP: default-src 'self' X-Permitted-Cross-Domain-Policies: master-only Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
poc/index.html:
<iframe sandbox="" src="poc2.html" width="100%" scrolling="no" height="414" style=""></iframe>