Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

Feature: Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

Description: From the Docs: On New Universal Login the following security headers are always set: X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
From what I understand, this prevents the New Universal Login to be rendered inside iframes which is absolutely the best default behaviour from the security point of view :+1:
But if I want to define “trusted” ancestors there is no option to do so in the moment.

Use-case: We have a SPA which works great with New Universal Login. Lets say we want to pin our application inside Microsoft Teams as a Channel-Tab. Currently this will not work, since MS-Teams would render our application inside an iframe (at least in the browser version) and the Login would not render. If we could configure the frame-ancestors to allow “https://teams.microsoft.com” for example we could support such use-cases.

That said, this request must be evaluated carefully since I’m not sure about related security issues :slight_smile:

Thanks for the feedback @j.krabs!

From what I can find, this would be similar to the “Disable Clickjacking Protection for Classic Universal Login” setting, but for NUL.

1 Like

Hi @dan.woda ,

yes it goes in the same direction. But “Disable Clickjacking Protection for Classic Unversal Login” seems to be an “all or nothing” configuration. I would like to have a more fine-grained configuration rather than completely enable/disable a security setting.

3 Likes

Makes sense. Thanks for the additional info!

Any update here @dan.woda? This is currently preventing us from using Auth0 within a Microsoft Office Add-in, as we cannot redirect users with Office’s dialog box to our login page using New Universal Login.

6 Likes

any updates here @dan.woda . we are facing the same issue with our word add In and a lot of users are affected. This is a p0 issue for us.

4 Likes

Hey folks, I don’t have any updates on this request currently.

Hello Dan, thank you for the update!

We are also affected by this situation, we are blocked for months in the development of our Microsoft Teams Tab Application and can’t find any solution. The only error that remains is “Refused to frame ‘https://DOMAIN.TLD/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”.”

How can we find a solution and make the situation move forward?

Thx

1 Like

Hello @dev38 ,
for MS Teams you can place the login into a seperate window to make it work. Have a look at the MS-Documentation:
Configure third party OAuth authentication - Teams | Microsoft Learn

Hello, we have just started getting the frame-ancestors none error. Our silent authentications were working without an issue up until last night. Any ideas on why this sudden change in behavior @dan.woda ? Thank you

1 Like

Knowing earlier that disabling clickjacking protection doesn’t actually remove frame-ancestors header (as the setting suggests) might have saved me an entire week’s work.

I really hope this is resolved soon.

1 Like

Any workaround for this ? This is preventing us from adding iframe with a JWT.