Protect against clickjacking with Content-Security-Policy: frame-ancestors

[simonw]

If I care about clickjacking I should use the Content-Security-Policy: frame-ancestors 'self' header.

Originally posted by @simonw in #45 (comment)

[simonw]

Since these are read-only queries that don't send information anywhere other than the user's own browser theoretically there's no risk from clickjacking here - but I like defense in depth.