I have successfully (it appears) embedded Mattermost in an iframe. I run the Mattermost Docker image with a nginx reverse proxy in front.
Be aware that by doing this you are decreasing the level of security of your site.
Mattermost uses a set of HTTP headers in addition to a JavaScript trick to prevent embedding/clickjacking.
In nginx I strip out the two relevant HTTP headers:
location / {
# Disable gzip due to https://bugs.debian.org/773332
gzip off;
# Enable WebSockets:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://localhost:8065/;
include /etc/nginx/proxy_params;
# Mattermost does not allow embedding by default, so we strip out the header that restricts it:
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
}
The JavaScript is located in the /mattermost/mattermost/web/templates/head.html file.
Somewhat early in the file there is a snippet
<style id=“antiClickjack”>body{display:none !important;}</style>
Comment that out by adding <!-- and --> around it and you should be good!