fix case that site uses meta tags instead of headers for content-secu…

…rity-policy

remove adding sec-websocket-protocol manually since that breaks thing…

…s instead of fixing it

enable support for embedding in iframe

add heroku link

removed intentional typo