X-frame options

Context :: We embed our application that is behind Okta in an iframe within LivePerson.

Problem :: When a user lands on the page for the first time, the iframe shows blank. In the console, the error reads: “refused to display {URL} in a frame because it set ‘x-frame-options’ to ‘sameorigin’”. The user needs to open a new tab for the application, which then authenticates through Okta, before returning and refreshing for the LivePerson iframe to work.

Feature request // Solution :: The Okta proxy does not allow being <iframe>'ed for specific domains. It has a response header of: “X-Frame-Options: sameorigin”. Extend an option for Okta to allow for an alternate header: “X-Frame-Options: allow-from https://liveperson.net”. At the moment, it is only possible to allow all domains to embed or none at all.

4 Likes

Was there ever a solution to this? We have this exact problem, trying to embed OKTA-secured website content within Confluence.

We are doing the same here. We have an OKTA protected app by SAML and need to embed an OIDC app in an iframe. Currently, the 2FA is appearing in the iFrame. How do we prevent this from showing up ?

Hi @cneddle!

Check out this Okta Ideas submission that is is related to only allowing iFrame embedding for specific applications. This Idea is currently on our Roadmap and you can monitor the Idea posting for details about when it will be available.

1 Like

You cannot display a lot of websites inside an iFrame. Reason being that they send an “X-Frame-Options: SAMEORIGIN” response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.

I faced the same error when displaying youtube links. For example: https://www.youtube.com/watch?v=8WkuChVeL0s

I replaced watch?v= with embed/ so the valid link will be: https://www.youtube.com/embed/8WkuChVeL0s

It works well.

Try to apply the same rule on your case.

SAMEORIGIN

The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.

Hi there, this link is dead. Was the feature released?

I’m still able to access the link, but maybe you don’t have access to it. Can you try accessing it as described here?

And no, it has not yet been released but it is still marked as “Planned.”

Huh, weird! I still can’t see it. Well I’ll be eager to hear when this is released. This is what I see when I log in via the method described in that article you sent: