How to configure CSP frame-ancestors directive for authorize endpoint

The Okta Sign-In Widget on my site recently stopped working, with the following error reported in the Developer Tools console:

Refused to frame ‘https://myapp.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’”.

In the list of network requests, I see that /oauth2/default/v1/authorize returns the following Content-Security-Policy response header: ...; frame-ancestors 'self'

How do I add a frame-ancestors origin to this response header? In Okta Admin Console, I tried going to Security > API > Trusted Origins and selecting the “iFrame origin” check box for my origin, but the following warning appears, and indeed the check box has no effect:

The /authorize endpoint won’t treat this URL as a trusted origin. Validate your CSP headers in report-only mode to prevent errors.

Hey there @mliu-st I think this doc might help Trusted Origins for iFrame embedding | Okta

1 Like

The " Trusted Origins for iFrame embedding" doc doesn’t appear to explain how to configure the frame-ancestors directive for the /authorize endpoint. As I said in my question, the “iFrame origin” check box (mentioned in that doc) has no effect on this endpoint.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.