Server:

HTTP/1.1 200 OK
Server: Apache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-WebKit-CSP: default-src 'self'
X-Permitted-Cross-Domain-Policies: master-only
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

poc/index.html:

<iframe sandbox="" src="poc2.html" width="100%" scrolling="no" height="414" style=""></iframe>