Feature: Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login
Description: From the Docs: On New Universal Login the following security headers are always set:
X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
From what I understand, this prevents the New Universal Login to be rendered inside iframes which is absolutely the best default behaviour from the security point of view
But if I want to define “trusted” ancestors there is no option to do so in the moment.
Use-case: We have a SPA which works great with New Universal Login. Lets say we want to pin our application inside Microsoft Teams as a Channel-Tab. Currently this will not work, since MS-Teams would render our application inside an iframe (at least in the browser version) and the Login would not render. If we could configure the frame-ancestors to allow “https://teams.microsoft.com” for example we could support such use-cases.
That said, this request must be evaluated carefully since I’m not sure about related security issues