Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

Feature: Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login

Description: From the Docs: On New Universal Login the following security headers are always set: X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'
From what I understand, this prevents the New Universal Login to be rendered inside iframes which is absolutely the best default behaviour from the security point of view :+1:
But if I want to define “trusted” ancestors there is no option to do so in the moment.

Use-case: We have a SPA which works great with New Universal Login. Lets say we want to pin our application inside Microsoft Teams as a Channel-Tab. Currently this will not work, since MS-Teams would render our application inside an iframe (at least in the browser version) and the Login would not render. If we could configure the frame-ancestors to allow “https://teams.microsoft.com” for example we could support such use-cases.

That said, this request must be evaluated carefully since I’m not sure about related security issues :slight_smile:

Thanks for the feedback @j.krabs!

From what I can find, this would be similar to the “Disable Clickjacking Protection for Classic Universal Login” setting, but for NUL.

Hi @dan.woda ,

yes it goes in the same direction. But “Disable Clickjacking Protection for Classic Unversal Login” seems to be an “all or nothing” configuration. I would like to have a more fine-grained configuration rather than completely enable/disable a security setting.

1 Like

Makes sense. Thanks for the additional info!