APEX 20.2
If I set Embed in Frames to DENY, I get an error that the browser refuses to display a dialog window if I am using Friendly URLs. It says that it got both a Same Origin and a Deny and is, therefore, defaulting to DENY and refusing to render the page. If I make no other change other than to turn off Friendly URLs, this works just fine. Moreover, if Friendly URLs are enabled and I generate a link to be placed into the DOM and, there, use a Friendly URL format, I get the same error. However, if I generate the same link with the "old style" APEX URL. It is just fine.
It seems like something about Friendly URLs is clobbering the application security setting. This is 100% repeatable.
Has anyone else come across this behavior?