Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

j.krabs · November 16, 2023, 3:57pm

Feature: Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

Description: From the Docs: On New Universal Login the following security headers are always set: X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
From what I understand, this prevents the New Universal Login to be rendered inside iframes which is absolutely the best default behaviour from the security point of view
But if I want to define “trusted” ancestors there is no option to do so in the moment.

Use-case: We have a SPA which works great with New Universal Login. Lets say we want to pin our application inside Microsoft Teams as a Channel-Tab. Currently this will not work, since MS-Teams would render our application inside an iframe (at least in the browser version) and the Login would not render. If we could configure the frame-ancestors to allow “https://teams.microsoft.com” for example we could support such use-cases.

That said, this request must be evaluated carefully since I’m not sure about related security issues

dan.woda · November 21, 2023, 2:48pm

Thanks for the feedback @j.krabs!

From what I can find, this would be similar to the “Disable Clickjacking Protection for Classic Universal Login” setting, but for NUL.

j.krabs · November 21, 2023, 4:40pm

Hi @dan.woda ,

yes it goes in the same direction. But “Disable Clickjacking Protection for Classic Unversal Login” seems to be an “all or nothing” configuration. I would like to have a more fine-grained configuration rather than completely enable/disable a security setting.

dan.woda · November 21, 2023, 5:19pm

Makes sense. Thanks for the additional info!

parlato · January 14, 2024, 11:48pm

Any update here @dan.woda? This is currently preventing us from using Auth0 within a Microsoft Office Add-in, as we cannot redirect users with Office’s dialog box to our login page using New Universal Login.

murugappan.m · January 19, 2024, 11:27am

any updates here @dan.woda . we are facing the same issue with our word add In and a lot of users are affected. This is a p0 issue for us.

dan.woda · January 19, 2024, 7:37pm

Hey folks, I don’t have any updates on this request currently.

dev38 · March 8, 2024, 9:56am

Hello Dan, thank you for the update!

We are also affected by this situation, we are blocked for months in the development of our Microsoft Teams Tab Application and can’t find any solution. The only error that remains is “Refused to frame ‘https://DOMAIN.TLD/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”.”

How can we find a solution and make the situation move forward?

Thx

j.krabs · March 11, 2024, 7:46am

Hello @dev38 ,
for MS Teams you can place the login into a seperate window to make it work. Have a look at the MS-Documentation:
Configure third party OAuth authentication - Teams | Microsoft Learn

sorix · April 3, 2024, 8:12am

Hello, we have just started getting the frame-ancestors none error. Our silent authentications were working without an issue up until last night. Any ideas on why this sudden change in behavior @dan.woda ? Thank you