X-frame options


#1

Context :: We embed our application that is behind Okta in an iframe within LivePerson.

Problem :: When a user lands on the page for the first time, the iframe shows blank. In the console, the error reads: “refused to display {URL} in a frame because it set ‘x-frame-options’ to ‘sameorigin’”. The user needs to open a new tab for the application, which then authenticates through Okta, before returning and refreshing for the LivePerson iframe to work.

Feature request // Solution :: The Okta proxy does not allow being <iframe>'ed for specific domains. It has a response header of: “X-Frame-Options: sameorigin”. Extend an option for Okta to allow for an alternate header: “X-Frame-Options: allow-from https://liveperson.net”. At the moment, it is only possible to allow all domains to embed or none at all.