Update the builtin and legacy servers to send the proper X-Frame-Options header so that iframing is denied from extraneous origins.
The legacy server has been update to ensure clickjacking is not possible on jujucharms.com.
Tests: `make unittest`.
QA: - juju bootstrap an environment; - run `make deploy`; - wait for the GUI to be ready/started; - open the GUI with the browser and log in; - prepare an HTML page like the following, replacing <GUI UNIT HOSTNAME> with the address of the GUI in your environment:
- open the test page above with the browser, the iframe should be empty; - switch to the legacy server: `juju set juju-gui builtin-server=false`; - wait a minute for the config-changed hook to complete; - open the test page above with the browser, the iframe should be empty; - destroy the environment.