There are no plugins activated, I even tried deactivating zipdownload, still not working. Debugging suggests deactivating SAMEORIGIN for iframes by setting
$config['x_frame_options'] = false;
in the config file. Somehow, Roundcube still tells the browser to DENY, because it's getting the statements DENY and FALSE, thus falling back to DENY. Is there any other line of code, setting the specific header to DENY? I'm pretty lost right now.