Content Security Policy Error During iframe Login

Problem statement

Whenever a user attempts to log in through the iframe, the following error occurs:

Refused to frame 'https://auth0domain/'; because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'"


The cause of this issue is expected and fully explained in the document Clickjacking Protection for Universal Login Change.


If the toggle is enabled, additional HTTP security headers will not be included in the response to prevent embedding the Universal Login prompts in an IFRAME.

This can be changed as well via the management API to enable this flag for your tenant by performing a request like the following:

PATCH https://your_auth0_domain/api/v2/tenants/settings
     “flags”: {
        “disable_clickjack_protection_headers”: true

See Update tenant settings for more details.

Note, to be able to patch the tenant settings, the token needs to have the update:tenant_settings permission.