I am using cordova-plugin-inappbrowser 1.6.1 for an OAuth login page. Unfortunately, the login does not work with "phonegap serve" since it uses X-Frame-Options: DENY.
I see two possible solutions:
1) window.open instead of iframe
2) Load everything in the InAppBrowser through a proxy and remove such headers (similar to the proxy which is used for CORS problems).