<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7Uq3SAFOkta Classic EngineAdministrationAnswered2025-06-14T10:29:51.000Z2016-01-28T16:08:06.000Z2018-03-13T00:15:42.000Z

7yeic (7yeic) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Do you have recommendations to overcome the recent "Allow IFrame embedding" security flag?
Our company develops a CTI package app for Salesforce. These apps are embedded in Salesforce as an iframe. Our CTI login is integrated with Okta authentication. We have customers who want to turn off Allow IFrame embedding for security reasons. If they do so, authentication does not complete, and the user is stuck at the login spinner.

 

Surely we cannot be the only Salesforce app that is integrated with Okta. How have Salesforce app builders overcome this?
  • 4 answers
  • 5.78K views
00u34nstrkQWZDPIAAM1.4207604653952163E12 likes this.

  • JP Manansala (Okta, Inc.)

    Hi Hadi,

     

    Thanks for posting your inquiries in Okta Community. Okta has enabled X-Frame-Option protection for all pages to protect against user interface redress attacks, or Clickjack attacks. To prevent such attacks, Okta no longer allows the embedding of pages rendered into iFrames by default. This is achieved by including the following special HTTP Response Header: X-Frame-Options: SAMEORIGIN. Setting this header one time ensures that pages are displayed in iFrames originate on the same parent Okta domain and prevents the display of such pages that do not originate on the same domain. Allowing iFrame embedding is being disabled by default for all new Okta Orgs, and the majority of existing Okta orgs.

     

    For more information: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

     

    Please let me know if you need any additional information. Thank you.

     

    Best,

     

    JP
    Expand Post

  • iim1z (iim1z)

    It looks like this functionality doesn't work, as I am able to insert our company Okta page within an Iframe on a web page. Please readdress this issue please!!!

     

    0EM2A000000VQcB

  • iim1z (iim1z)

    Jaypee, please see above Clickjacking issue!

  • matt.egan1.503706873770126E12 (Okta, Inc.)

    Hi Michael,

     

    Can you confirm a setting for me.

     

    Admin UI: Settings -> Customization -> IFrame Embedding

     

    Allow IFrame embedding

     

    If this is indeed unchecked and you are seeing that test work will you let me know.  If it is checked i would recommend confirming that you don't actually need to support iFrame embedding and then unchecking to remove this surface area of attack.

     

    -Matt

    Expand Post
This question is closed.
Loading
Do you have recommendations to overcome the recent "Allow IFrame embedding" security flag?