Cross-Origin: 'X-Frame-Options' to 'SAMEORIGIN'

dilger · April 4, 2018, 7:35am

Since beginning of April the login on iOS later than iOS 7 doesn’t work anymore. It is using a Cross-Origin-Url like described in Cross-Origin Authentication.

I am using auth0.js v9 in a custom form and I am not using the Lock widget.

Whenever I try to login it shows a white screen and the console throws the following error:

Refused to display ‘https://example.com/callback-cross-auth#origin=https://example.eu.auth0.com’ in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN’.

How can I get around that? It’s thrown on iOS > 7 in Safari and Chrome.

On other clients it is working fine and as expected.

Best regards

Chris

jmangelo · April 4, 2018, 10:57am

Based on the information you provided you have configured cross origin authentication with a verification page as instructed at Cross-Origin Authentication. In your scenario this page is located at https://example.com/callback-cross-auth and it will be called as part of an iframe that will have a URL associated with your Auth0 service.

Given that the HTTP response coming from https://example.com/callback-cross-auth includes an header X-Frame-Options instructing the browser to only display this page if the iframe is under the same origin you’ll get the error in question.

In conclusion, the verification page needs to be served in a way that it will allow the browser to display it within the iframe located in an Auth0 service origin so you’ll need to update your web server to not include that header for that specific URL.

dilger · April 4, 2018, 1:25pm

Ok. Thanks for this. We just removed this header option and it does work now.

So, thank you so much.

tomfaber7 · May 31, 2018, 1:46pm

Ran into the same problem. Could you please describe how you solved it @dilger ?
Where did you remove the “header” option from ?