Add comments to explain that frame-ancestors CSP must be customized i…

…n each project.

geoportal/c2cgeoportal_geoportal/scaffolds/create/{{cookiecutter.project}}/geoportal/vars.yaml

@@ -316,6 +316,11 @@ vars:
       # All versions
       arguments: *redis-cache-arguments
 
+  # This parameter set the list of hosts allowed to use the iframe api.
+  # 'self' will block all external usage, you must add additional hosts separated by space.
+  # see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+  content_security_policy_iframe_api_frame_ancestors: "'self'"
+
   # Control the HTTP headers
   headers:
     dynamic: &header {}