Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enable_subdomains = False.
frame-ancestors: self, orJupyterHub.enable_subdomains = True (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame).JupyterHub documentation on why and when frame-ancestors: self is insecure, and why it was disabled by default: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors