Kind of a 101 question about X-Frame-Options and/or Content-Security-Policy: frame-ancestors: if one intends to develop an application using iframed production sites (on which I can adjust headers) on a local machine, would they have to add localhost to frame-ancestors in the Content-Security-Policy? Will X-Frame-Options SAMEORIGIN not work at all?
You would want to strip those headers from the framed response so they don't prevent rendering.
Locally, the only thing that applies would be frame-src coming in the localhost response allowing you to embed your production sites (not setting csp at all would also work).