diff --git a/project/requests.py b/project/requests.py
index feb59a3..513d63e 100644
--- a/project/requests.py
+++ b/project/requests.py
@@ -46,7 +46,11 @@ def set_response_headers(response):
     if request and request.endpoint:
         if request.endpoint.startswith("api_"):
             return response
-        if request.endpoint != "static" and request.endpoint != "widget_event_dates":
+        if (
+            request.endpoint != "static"
+            and request.endpoint != "widget_event_dates"
+            and request.endpoint != "custom_widget_type"
+        ):
             response.headers["X-Frame-Options"] = "SAMEORIGIN"
 
     response.headers["X-Content-Type-Options"] = "nosniff"
diff --git a/project/static/widget-loader.js b/project/static/widget-loader.js
index 3728ca0..e223348 100644
--- a/project/static/widget-loader.js
+++ b/project/static/widget-loader.js
@@ -233,7 +233,7 @@
         xmlhttp.overrideMimeType(mimeType);
       }
 
-      xhr.setRequestHeader("X-CSRFToken", "{{ csrf_token() }}");
+      xmlhttp.setRequestHeader("X-CSRFToken", "{{ csrf_token() }}");
 
       xmlhttp.send();
       return xmlhttp.responseText;