The frame-ancestors
value acts on the source of the iframe not the document framing it. Setting CSP on your page will have no effect on the framing. Think of frame-ancestors
like X-Frame-Options
on steroids: it restricts what is allowed to frame the content. Gist intentionally does not allow directly framing gists but instead provides a way to embed a Gist.
frame-ancestors 'none'
== X-Frame-Options: DENY