Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
We are building a payments SDK that requires embedding the Universal Login page inside an iframe. We have implemented our login screens using ACUL (Advanced Customizations for Universal Login) with @auth0/auth0-acul-react.
When our application attempts to load the Universal Login page inside an iframe, the browser refuses to render it due to the following HTTP response header being enforced by Auth0's server:
X-Frame-Options: deny
Content-Security-Policy: frame-ancestors 'none'
We have confirmed via Auth0's official documentation that this header is always enforced for New Universal Login (including ACUL) and cannot be disabled:
"The following action is not required if you are using the New Universal Login Experience because those headers are always set in that case."
Source: https://auth0.com/docs/troubleshoot/product-lifecycle/past-migrations/clickjacking-protection-for-universal-login
Describe the ideal solution
Add a tenant-level or application-level configuration option specifically for ACUL (Advanced Customizations for Universal Login) to allow X-Frame-Options to be set to SAMEORIGIN or disabled entirely. This is similar to the opt-out toggle that existed for Classic Universal Login ("Disable clickjacking protection for Classic Universal Login"), but we need an equivalent option for ACUL since that toggle only applies to Classic Universal Login and has no effect on ACUL-based implementations.
Alternatives and current work-arounds
We have considered the following alternatives:
- loginWithPopup(): Not reliable on mobile browsers due to popup blocking.
- loginWithRedirect(): Causes a full page navigation which breaks our SDK's embedded experience.
Neither of these alternatives are suitable for our iframe-based payments SDK use case.
Additional context
- Auth0 tenant region: AU
- SDK: @auth0/auth0-acul-react (1.0.0)
- Login flow: ACUL Advanced Customization
- Use case: Payments SDK embedded in third-party applications via iframe
This is currently blocking our development. We understand the security implications and are willing to take full responsibility for enabling this on our tenant.
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
We are building a payments SDK that requires embedding the Universal Login page inside an iframe. We have implemented our login screens using ACUL (Advanced Customizations for Universal Login) with @auth0/auth0-acul-react.
When our application attempts to load the Universal Login page inside an iframe, the browser refuses to render it due to the following HTTP response header being enforced by Auth0's server:
X-Frame-Options: deny
Content-Security-Policy: frame-ancestors 'none'
We have confirmed via Auth0's official documentation that this header is always enforced for New Universal Login (including ACUL) and cannot be disabled:
"The following action is not required if you are using the New Universal Login Experience because those headers are always set in that case."
Source: https://auth0.com/docs/troubleshoot/product-lifecycle/past-migrations/clickjacking-protection-for-universal-login
Describe the ideal solution
Add a tenant-level or application-level configuration option specifically for ACUL (Advanced Customizations for Universal Login) to allow X-Frame-Options to be set to SAMEORIGIN or disabled entirely. This is similar to the opt-out toggle that existed for Classic Universal Login ("Disable clickjacking protection for Classic Universal Login"), but we need an equivalent option for ACUL since that toggle only applies to Classic Universal Login and has no effect on ACUL-based implementations.
Alternatives and current work-arounds
We have considered the following alternatives:
Neither of these alternatives are suitable for our iframe-based payments SDK use case.
Additional context
This is currently blocking our development. We understand the security implications and are willing to take full responsibility for enabling this on our tenant.