Safari Embedded iFrame Fails to Authorize with Okta

In Safari (works in Chrome), the application embedded in the iFrame gets stuck on the Okta authorize redirect.

The Safari error is ‘[Error] The Content Security Policy directive ‘frame-ancestors’ is ignored when delivered in a report-only policy.’

Ok, I can see in both Chrome and Safari headers that the authorize request, and only that request is sending both Content-Security-Policy-Report-Only and Content-Security-Policy headers. Chrome continues where Safari stops.

I have worked on the CSP headers in Cloudflare, and have no errors in Chrome.

The Okta org is in its frame-src directive.

I have added both frame ancestor and frame src URLs to Okta > Security > API > Trusted Origins with IFrame Embed checked.

We do not have Customizations > iFrame Enabled.

What could be the issue / solution for Safari to authorize with Okta when embedded in the iFrame?

https://help.okta.com/oie/en-us/content/topics/api/trusted-origins-iframe.htm?cshid=csh-trusted-origins-iframe#embed-okta

https://support.okta.com/help/s/article/frequently-asked-questions-and-known-issues-with-trusted-origins-for-iframe-embedding?language=en_US

Solved.

Users need to uncheck Privacy > Website Tracking > Prevent cross-site tracking

https://support.okta.com/help/s/article/embedded-browser-not-showing-correctly-on-ios-macos-device?language=en_US

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.