X-Frame-Options: SAMEORIGIN


I want to enable sameorigin on the classic universal login to enable an iframe configuration on the same domain. Our administrator tells me that the Clickjacking protection is deny all or allow all.

I want to only allow same domains to keep security measures but allow our own servers to use an iframe.

Our security team will not allow clickjacking protection to be turned off fully for all apps.

References I have come across:

Similar posts:
Login page not open in iframe - No answer on this.
Log in in a popup window - #3 by kim.maida - This seems like this will create additional issues to create a pop-up to solve this.

I’d love to have input from @James.Morrison from this post information: Clickjacking Protection in Classic Universal Login!

In case there are any different ideas, we have a website for customers, within that site we want to present external data, secured by auth0. For seamless customer experience we keep the customer in the same location and don’t confuse them with multiple sites/tabs.

Many thanks

Good morning @smm and welcome to the Auth0 Community!

Let me see if I can dig up some details on a solution for you on this front. Thanks!

1 Like

Good morning @James.Morrison, thank you for your response last week. I was wondering if you had any luck with further details, good or bad? If it is not possible to do then we need to find an alternative method.
Many thanks

I apologize for the delay in response, I confirmed with a senior engineer in regards to this front and Clickjacking is very much an all or nothing type of situation. For your situation it doesn’t necessarily sound like the right fit.

Thanks James, quite disappointing news but nevertheless confirmed. I appreciate you looking into this for me. Have a great weekend. Simon

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.