This article answers whether or not it is possible to enable iFrame embedding on a per-app basis and provides information about Trusted Origins for iFrame embedding.

• iFrame Embedding
• Trusted Origins

It is only possible to enable iFrame embedding for the whole Okta org, and it cannot be controlled at an application level. Okta recommends using Trusted Origins for iFrame embedding.

1. Log in to the Admin Console and navigate to Security > API > Trusted Origins tab.
2. Click Add Origin.
3. In the Add Origin dialog, enter Origin Name and Origin URL.
4. Select the origin type as iFrame embed (origin).
   • This keeps frame-ancestors in report-only if having enabled iFrame embedding in Customizations.
5. Disable iFrame embedding in Customizations:
   • Click the iFrame embedding link displayed in the warning message in the Admin Console, or go to Customizations > Other > iFrame Embedding, and uncheck Enable iFrame embedding.
6. Back in the Add Origin dialog, click Save.

How it Works

Trusted Origins uses Content Security Policy’s (CSP) frame-ancestors directive. Its frame-ancestors directive specifies parent pages that may embed a page using an iFrame. Trusted Origins allows the configuration of an origin that is returned by Okta in the frame-ancestors directive of the CSP header. Whether or not the CSP frame-ancestors directive is enforced depends on the user’s browser. Browsers that support CSP frame-ancestors directive enforce it and give it precedence over x-frame-options. In the absence of CSP and x-frame-options, the resource can be embedded by anyone into any site. When x-frame-options are set to SAMEORIGIN, the resource can only be displayed in a frame on the same origin as the page itself. For more information about Trusted Origins for iFrame embedding, please see the related references linked below.
 

Related References

• Trusted Origins for iFrame embedding