Deprecate X-Frame-Options ALLOW-FROM

We should deprecate [X-Frame-Options ALLOW-FROM](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) directive. It is not longer supported by most browsers. Users should migrate to using [Content-Security-Policy frame-ancestors](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) instead.