Is it secure to embed SPA in iframe?

msiracusa · April 19, 2021, 8:13pm

Hi all

I have an application that is using Auth0 to authenticate users. Now I would like that any third party sites can embed my application in an iframe so that they can use the services from my app.

I’m not sure about the security implications of this. I did a PoC and tried to access the id token from the third party site and I can see that it is forbidden by the browser:

Uncaught DOMException: Permission denied to access property "document" on cross-origin object

But the fact that the token lives in the local session storage makes me a little uneasy about this use case.

What would be the recommendation?

msiracusa · May 10, 2021, 8:26pm

Replying to myself, in case that anyone has a question like this.

I asked Auth0’s professional services and they told me that it’s not a good idea.

I proposed a mitigation strategy (using CSP HTTP header to whitelist the domains that are allowed to embed the login page) but they didn’t comment about that.

konrad.sopala · May 11, 2021, 8:55am

Thanks for sharing that with the rest of community!

system · May 26, 2021, 8:56am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use SPA SDK with Cross-Origin Embeder Policy Help auth0-spa-js	7	3332	May 2, 2022
Auth0 SSO with iframe Help auth0 , login , iframe	3	10732	October 26, 2020
Auth0 on iframe Help	2	4441	March 18, 2020
Allowing app to be used in iFrames for custom domains Feedback login , security , iframe	7	3893	November 17, 2024
Authentication from iframe with 3rd party cookies disabled Help sessions , rotating-refresh-tokens	3	3929	January 31, 2024

Is it secure to embed SPA in iframe?

Related topics