We are using the hosted Okta Sign-in page. Our signin page is on, say, sso. mydomain .com, and our website has different subdomains like account. mydomain .com, products.mydomain .com etc.
We would like to show the sign-in page in a modal embedded in an iframe on our webpage, but even though all our sites are on mydomain .com, they are considered as different origins because of the different subdomains and are subject to CORS limitations. The only way to make it work is to enable the iFrame Embedding option in the Customizations → Other section on Okta Admin portal but this will make our site susceptible to Clickjacking attacks.
Is it possible to enable iFrame embedding only for specific domains? I believe the above Iframe Embedding option sets the Content-Security-Policy header of the response Okta sends, so can we configure this header on Okta and make it return, say, Content-Security-Policy: default-src ‘self’ mydomain .com *.mydomain .com? So only mydomain .com can embed the sign in page in an iFrame…
Believe this will be much more secure than opening up all sites to iFrame embedding.