The Okta Sign-In Widget on my site recently stopped working, with the following error reported in the Developer Tools console:
Refused to frame ‘https://myapp.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’”.
In the list of network requests, I see that /oauth2/default/v1/authorize returns the following Content-Security-Policy response header: ...; frame-ancestors 'self'
How do I add a frame-ancestors
origin to this response header? In Okta Admin Console, I tried going to Security > API > Trusted Origins and selecting the “iFrame origin” check box for my origin, but the following warning appears, and indeed the check box has no effect:
The /authorize endpoint won’t treat this URL as a trusted origin. Validate your CSP headers in report-only mode to prevent errors.