CAPTCHA frame not embeddable on 3rd-party website

[catamphetamine]

There's this new CAPTCHA on 4chan.org which provides two ways of using it:

• JSON response from https://sys.4chan.org/captcha?board={boardId}&thread_id={threadId}
  • Returns CAPTCHA info object, but is behind CloudFlare anti-spam protection, so it may return an HTML verification page instead, which means that it would be cumbersome to use for 3rd-party applications, and won't work at all for 3rd-party websites.
• HTML response from https://sys.4chan.org/captcha?framed=1&board={boardId}&thread_id={threadId}
  • The returned HTML page performs window.parent.postMessage() with CAPTCHA info object argument.
  • But it doesn't work either due to a "Content Security Policy" error:
    "Refused to display 'sys.4chan.com' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://*.4chan.org""

The reason for the <iframe/> not working is Content-Security-Policy HTTP response header having value frame-ancestors https://*.4chan.org;. The fix would be either not specifying that HTTP response header at all, or maybe specifying it to be frame ancestors *;.