This may have to do with the recent security vulnerability which was discovered on both dropbox and box.com.
In short, the vulnerability allowed share links to be viewed outside of the interface. Restricting includes to same origin would prevent that.
In essence, this restriction means in order to embed the content in an iframe, the iframe's parent frame must be served from the same domain.