How to configure CSP frame-ancestors directive for authorize endpoint

The Okta Sign-In Widget on my site recently stopped working, with the following error reported in the Developer Tools console:

Refused to frame ‘https://myapp.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’”.

In the list of network requests, I see that /oauth2/default/v1/authorize returns the following Content-Security-Policy response header: ...; frame-ancestors 'self'

How do I add a frame-ancestors origin to this response header? In Okta Admin Console, I tried going to Security > API > Trusted Origins and selecting the “iFrame origin” check box for my origin, but the following warning appears, and indeed the check box has no effect:

The /authorize endpoint won’t treat this URL as a trusted origin. Validate your CSP headers in report-only mode to prevent errors.

Hey there @mliu-st I think this doc might help Trusted Origins for iFrame embedding | Okta

1 Like

The " Trusted Origins for iFrame embedding" doc doesn’t appear to explain how to configure the frame-ancestors directive for the /authorize endpoint. As I said in my question, the “iFrame origin” check box (mentioned in that doc) has no effect on this endpoint.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.