Feature: Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login
Description: From the Docs: On New Universal Login the following security headers are always set: X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
From what I understand, this prevents the New Universal Login to be rendered inside iframes which is absolutely the best default behaviour from the security point of view
But if I want to define “trusted” ancestors there is no option to do so in the moment.
Use-case: We have a SPA which works great with New Universal Login. Lets say we want to pin our application inside Microsoft Teams as a Channel-Tab. Currently this will not work, since MS-Teams would render our application inside an iframe (at least in the browser version) and the Login would not render. If we could configure the frame-ancestors to allow “https://teams.microsoft.com” for example we could support such use-cases.
That said, this request must be evaluated carefully since I’m not sure about related security issues
yes it goes in the same direction. But “Disable Clickjacking Protection for Classic Unversal Login” seems to be an “all or nothing” configuration. I would like to have a more fine-grained configuration rather than completely enable/disable a security setting.
Any update here @dan.woda? This is currently preventing us from using Auth0 within a Microsoft Office Add-in, as we cannot redirect users with Office’s dialog box to our login page using New Universal Login.
We are also affected by this situation, we are blocked for months in the development of our Microsoft Teams Tab Application and can’t find any solution. The only error that remains is “Refused to frame ‘https://DOMAIN.TLD/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”.”
How can we find a solution and make the situation move forward?
Hello, we have just started getting the frame-ancestors none error. Our silent authentications were working without an issue up until last night. Any ideas on why this sudden change in behavior @dan.woda ? Thank you
Knowing earlier that disabling clickjacking protection doesn’t actually remove frame-ancestors header (as the setting suggests) might have saved me an entire week’s work.
@dan.woda Is there any update on this? I have the same problem. We need to embed the website with Auth0 integrated, but it’s not working in an iframe. We need to embed (using an iframe) a part of the website that can be viewed only by users who have signed in. Auth0 is not allowing signing in in an iframe, so it’s not working for us.
I disabled the clickjacking protection from the Settings → Advanced option, but it’s not working. Is there a way we can allow sign-in using Auth0 in an embedded website?
Thank you in advance for your input and suggestions.
This is just a heads-up that we’ll be hosting an Ask Me Anything (AMA) session all about Universal Login, and this question is relevant to our event. Auth0 by Okta Subject Matter Experts will answer your question on Thursday, October 24th, from 9 a.m. to 11 a.m. PST.
Have more questions about customizing your login experience, boosting security, or implementing advanced features?
Drop your questions in this thread before October 23rd, and our experts will provide answers during the AMA!
Plus, you’ll earn points and a special badge for participating!
Have more questions about customizing your login experience, boosting security, or implementing advanced features?
Drop your questions in 
Plus, you’ll earn points and a special badge for participating!