Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Embedding an iframe: headers

Special parameters called headers are responsible for the ability to embed in iframes on web pages.

To find them, follow these steps:

  1. Open the page.
  2. Open the developer console (press F12).
  3. Switch to the Network tab and select the Doc type.
  4. Look for the section labeled "Response Headers."
  5. Find the headers of interest below that:
    • Content-Security-Policy: frame-ancestors
    • Content-Security-Policy: default-src
    • X-Frame-Options

These headers determine the embedding permissions on the page.

Тhe table below illustrates the priorities of headers and recommendations for each scenario.

Priority 1 Priority 2 Priority 3 Result Recommendation
Content-Security-Policy: frame-ancestors Content-Security-Policy: default-src X-Frame Options
* Any or absence Any or absence Embedding allowed on any domain Not required ¹
'none' Any or absence Any or absence Embedding allowed on any domain Replace with: Content-Security-Policy: frame-ancestors 'self' *.proctor.constructor.app
'self' Any or absence Any or absence Embedding only possible on the same domain and those listed after 'self' Add after 'self': *.proctor.constructor.app
Absence of header * Any or absence Embedding allowed on any domain Not required ¹
Absence of header 'none' Any or absence Embedding is prohibited Add the header: Content-Security-Policy: frame-ancestors 'self' *.proctor.constructor.app
Absence of header 'self' Any or absence Embedding only possible on the same domain and those listed after 'self' Add the header: Content-Security-Policy: frame-ancestors 'self' *.proctor.constructor.app
Absence of header Absence of header DENY Embedding is prohibited²  Add the header: Content-Security-Policy: frame-ancestors 'self' *.proctor.constructor.app
Absence of header Absence of header SAMEORIGIN Embedding only possible on the same domain ²  Add the header: Content-Security-Policy: frame-ancestors 'self' *.proctor.constructor.app
Absence of header Absence of header ALLOW-FROM or absence of header Embedding allowed on any domain Not required ²
  • ¹ It is possible to leave it unchanged or enhance security by adding the header: Content-Security-Policy: frame-ancestors 'self' *.proctor.constructor.app.
  • ² A more secure approach is to consider adding Content-Security-Policy: frame-ancestors 'self' *proctor.constructor.app as an alternative, instead of removing the X-Frame-Options header or allowing embedding from any website using ALLOW-FROM *.proctor.constructor.app.

Note: To successfully open the exam page in Constructor Proctor, embedding in an iframe needs to be allowed.