Build CORS/CSP headers for iframe embedding
Allowed origin (optional, defaults to "*")
Headers handler
Build CORS/CSP headers for iframe embedding