When an iframe is used to display a PDF, the browser makes an HTTP request to fetch the PDF file from the server.

This request includes HTTP headers, and the server’s response will also contain HTTP headers.

Whether CORS headers are involved depends on the origin of the PDF file relative to the web page containing the iframe:
• Same-Origin: If the PDF is hosted on the same origin as the web page, CORS headers are generally not needed.
• Cross-Origin: If the PDF is hosted on a different origin, the server must include appropriate CORS headers (e.g., Access-Control-Allow-Origin) in its response to allow the PDF to be displayed in the iframe.

Without the correct CORS headers, the browser may block the PDF from being displayed due to security restrictions.

This site uses Just the Docs, a documentation theme for Jekyll.