Disallow iframes via X-Frame-Options and CSP by default
    
    A decorator, allow_iframe, is also created so that specific
    pages can remove the deny values and allow operating within
    a frame.
    
    The Persona plugin relies on iframes and uses this decorator
    for all endpoints.
    
    https://fedorahosted.org/ipsilon/ticket/15
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>