Feature: Per-Application Clickjacking Protection Configuration for Classic and New Universal Login
Description: Currently, the New Universal Login enforces clickjacking protection by default, with no option to configure it per application. This limitation prevents whitelisting specific domains for iframe embedding and blocking the usage of the New Universal Login. A feature to configure clickjacking protection per application would allow specifying whitelisted domains in the Content Security Policy (CSP) header. While the Classic Login allows disabling this protection, it applies at the tenant level, leaving all applications vulnerable across any domain.
Use-case: This feature would enable secure embedding of applications in iframes on specific external domains without compromising the security of other applications. For example, it would support scenarios where an application must be embedded in a trusted partner’s website while maintaining clickjacking protection for other applications.