Do you have recommendations to overcome the recent "Allow IFrame embedding" security flag?
Our company develops a CTI package app for Salesforce. These apps are embedded in Salesforce as an iframe. Our CTI login is integrated with Okta authentication. We have customers who want to turn off Allow IFrame embedding for security reasons. If they do so, authentication does not complete, and the user is stuck at the login spinner.
Surely we cannot be the only Salesforce app that is integrated with Okta. How have Salesforce app builders overcome this?
Thanks for posting your inquiries in Okta Community. Okta has enabled X-Frame-Option protection for all pages to protect against user interface redress attacks, or Clickjack attacks. To prevent such attacks, Okta no longer allows the embedding of pages rendered into iFrames by default. This is achieved by including the following special HTTP Response Header: X-Frame-Options: SAMEORIGIN. Setting this header one time ensures that pages are displayed in iFrames originate on the same parent Okta domain and prevents the display of such pages that do not originate on the same domain. Allowing iFrame embedding is being disabled by default for all new Okta Orgs, and the majority of existing Okta orgs.
For more information: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Please let me know if you need any additional information. Thank you.
If this is indeed unchecked and you are seeing that test work will you let me know. If it is checked i would recommend confirming that you don't actually need to support iFrame embedding and then unchecking to remove this surface area of attack.