Feature: Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login
Description: From the Docs: On New Universal Login the following security headers are always set: X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
From what I understand, this prevents the New Universal Login to be rendered inside iframes which is absolutely the best default behaviour from the security point of view
But if I want to define “trusted” ancestors there is no option to do so in the moment.
Use-case: We have a SPA which works great with New Universal Login. Lets say we want to pin our application inside Microsoft Teams as a Channel-Tab. Currently this will not work, since MS-Teams would render our application inside an iframe (at least in the browser version) and the Login would not render. If we could configure the frame-ancestors to allow “https://teams.microsoft.com” for example we could support such use-cases.
That said, this request must be evaluated carefully since I’m not sure about related security issues
yes it goes in the same direction. But “Disable Clickjacking Protection for Classic Unversal Login” seems to be an “all or nothing” configuration. I would like to have a more fine-grained configuration rather than completely enable/disable a security setting.
Any update here @dan.woda? This is currently preventing us from using Auth0 within a Microsoft Office Add-in, as we cannot redirect users with Office’s dialog box to our login page using New Universal Login.
We are also affected by this situation, we are blocked for months in the development of our Microsoft Teams Tab Application and can’t find any solution. The only error that remains is “Refused to frame ‘https://DOMAIN.TLD/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”.”
How can we find a solution and make the situation move forward?
Hello, we have just started getting the frame-ancestors none error. Our silent authentications were working without an issue up until last night. Any ideas on why this sudden change in behavior @dan.woda ? Thank you