Is it secure to embed SPA in iframe?

Hi all

I have an application that is using Auth0 to authenticate users. Now I would like that any third party sites can embed my application in an iframe so that they can use the services from my app.

I’m not sure about the security implications of this. I did a PoC and tried to access the id token from the third party site and I can see that it is forbidden by the browser:

Uncaught DOMException: Permission denied to access property "document" on cross-origin object

But the fact that the token lives in the local session storage makes me a little uneasy about this use case.

What would be the recommendation?

Replying to myself, in case that anyone has a question like this.

I asked Auth0’s professional services and they told me that it’s not a good idea.

I proposed a mitigation strategy (using CSP HTTP header to whitelist the domains that are allowed to embed the login page) but they didn’t comment about that.

1 Like

Thanks for sharing that with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.