There are a few threads about LiveViews on iframes now. For anyone landing here in the future, this is the current solution I’ve found:
After trying several things I gathered around the internet, I found the 3 minimal steps which limit security-related changes to the embeddable LiveViews only.
Separate LiveView Socket.
Separate Router Pipeline replacing x-frame-options HTTP header with a restrictive CSP.
Separate layout for embeddable LiveViews independent from session-based assigns.
