When does Auth0 send frame-ancestors:none (iframed subdomain)

When does Auth0 send the following headers specifically?
X-Frame-Options: deny Content-Security-Policy: frame-ancestors ‘none’

We are putting one app (of same domain but different subdomain) in an iframe. The iframed app will not have a login prompt but we expect it to be able to get tokens from the parent page’s authentication. Will this be feasible? We are using New Universal Login

Have looked at - Clickjacking Protection for Universal Login Change

and am wondering if this will be an issue.

1 Like