Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

Feature: Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

Description: From the Docs: On New Universal Login the following security headers are always set: X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
From what I understand, this prevents the New Universal Login to be rendered inside iframes which is absolutely the best default behaviour from the security point of view
But if I want to define “trusted” ancestors there is no option to do so in the moment.

Use-case: We have a SPA which works great with New Universal Login. Lets say we want to pin our application inside Microsoft Teams as a Channel-Tab. Currently this will not work, since MS-Teams would render our application inside an iframe (at least in the browser version) and the Login would not render. If we could configure the frame-ancestors to allow “https://teams.microsoft.com” for example we could support such use-cases.

That said, this request must be evaluated carefully since I’m not sure about related security issues

Thanks for the feedback @j.krabs!

From what I can find, this would be similar to the “Disable Clickjacking Protection for Classic Universal Login” setting, but for NUL.

Hi @dan.woda ,

yes it goes in the same direction. But “Disable Clickjacking Protection for Classic Unversal Login” seems to be an “all or nothing” configuration. I would like to have a more fine-grained configuration rather than completely enable/disable a security setting.

Makes sense. Thanks for the additional info!

Any update here @dan.woda? This is currently preventing us from using Auth0 within a Microsoft Office Add-in, as we cannot redirect users with Office’s dialog box to our login page using New Universal Login.

any updates here @dan.woda . we are facing the same issue with our word add In and a lot of users are affected. This is a p0 issue for us.

Hey folks, I don’t have any updates on this request currently.

Hello Dan, thank you for the update!

We are also affected by this situation, we are blocked for months in the development of our Microsoft Teams Tab Application and can’t find any solution. The only error that remains is “Refused to frame ‘https://DOMAIN.TLD/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”.”

How can we find a solution and make the situation move forward?

Thx

Hello @dev38 ,
for MS Teams you can place the login into a seperate window to make it work. Have a look at the MS-Documentation:
Configure third party OAuth authentication - Teams | Microsoft Learn

Hello, we have just started getting the frame-ancestors none error. Our silent authentications were working without an issue up until last night. Any ideas on why this sudden change in behavior @dan.woda ? Thank you

Knowing earlier that disabling clickjacking protection doesn’t actually remove frame-ancestors header (as the setting suggests) might have saved me an entire week’s work.

I really hope this is resolved soon.

Any workaround for this ? This is preventing us from adding iframe with a JWT.

@dan.woda Is there any update on this? I have the same problem. We need to embed the website with Auth0 integrated, but it’s not working in an iframe. We need to embed (using an iframe) a part of the website that can be viewed only by users who have signed in. Auth0 is not allowing signing in in an iframe, so it’s not working for us.

I disabled the clickjacking protection from the Settings → Advanced option, but it’s not working. Is there a way we can allow sign-in using Auth0 in an embedded website?

Thank you in advance for your input and suggestions.