Unset X-Frame-Options header correctly (#4721)

* Unset X-Frame-Options header correctly

According to the [spec](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) there are onlye the `DENY` and `SAMEORIGIN` options, `ALLOW-FROM` being deprecated. Hence we have to actively unset the header, as we made `DENY` the default.

This also unsets the X-Frame-Options header for the public form pages, which fixes #4666.

* Ignore anti forgery token in Forms

---------

Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>

BTCPayServer/Plugins/Crowdfund/Controllers/UICrowdfundController.cs

@@ -54,7 +54,7 @@ namespace BTCPayServer.Plugins.Crowdfund.Controllers
 
         [HttpGet("/")]
         [HttpGet("/apps/{appId}/crowdfund")]
-        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.AllowAll)]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
         [DomainMappingConstraint(AppType.Crowdfund)]
         public async Task<IActionResult> ViewCrowdfund(string appId, string statusMessage)
         {
@@ -86,7 +86,7 @@ namespace BTCPayServer.Plugins.Crowdfund.Controllers
 
         [HttpPost("/")]
         [HttpPost("/apps/{appId}/crowdfund")]
-        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.AllowAll)]
+        [XFrameOptions(XFrameOptionsAttribute.XFrameOptions.Unset)]
         [IgnoreAntiforgeryToken]
         [EnableCors(CorsPolicies.All)]
         [DomainMappingConstraint(AppType.Crowdfund)]