The solution recommended by Microsoft is the following:

1. internally, whitelist domain1.com and domain2.com
2. when embedding your iframe URL, add a parameter in the URL that specify the origin: iframe src="http://example.org/frame.html?origin=http://domain1.com"
3. on your server, check if the origin value is whitelisted. Use it to set X-Frame-Options: ALLOW-FROM http://domain1.com

You could also check the Referer header if it is present.

X-Content-Security-Policy works for IE, test the browsers for csp support using https://content-security-policy.com/browser-test/

Snippet in express would look like:

function applyCSPforIE(req, res, next) {
    res.setHeader('X-Content-Security-Policy', 'frame-ancestors \'self\' http://whatever.com/');
    next();
}

you could use both together and it works but there's a warning about it at this article.

The following apache configuration works for me in all major browsers (April 2018):

<IfModule mod_headers.c>

    Header set Content-Security-Policy "frame-ancestors http://*.example.com/ 'self';"

    # For IE 11 and below
    Header set X-Frame-Options SAMEORIGIN
    Header append X-Frame-Options "ALLOW-FROM http://example.com/" </IfModule>

X-Frame-Options is being superceded by Content-Security-Policy, but as you say, not all browsers fully support Content-Security-Policy yet.

You say you're intentionally removing X-Frame-Options, but you shouldn't. That is supported by Internet Explorer, so if you use it in addition to Content-Security-Policy, you will get the same effect across a wider range of browsers.

See X-Frame-Options documentation here, which includes a mention of IE support: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Internet Explorer 8 through 11 only supports X-Frame-Options, and you can use the ALLOW-FROM value. Specify the URLs for your iframes there.

Please keep in mind only the latest Internet Explorer browsers support X-Content-Security-Policy.