chore: update iframe doc #2263
Open
chore: update iframe doc #2263
+21
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
unatasha8
reviewed
Aug 25, 2025
| @@ -5,12 +5,26 @@ sidebar_label: Troubleshooting iframes | |||
| --- | |||
|
|
|||
| Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe | |||
| injection, iframe phishing, and many others. | |||
| injection, iframe phishing, and many others. Most browsers have implemented measures to block cookies in iframe contexts, which | |||
There was a problem hiding this comment.
Suggested change
| injection, iframe phishing, and many others. Most browsers have implemented measures to block cookies in iframe contexts, which | |
| injection, iframe phishing, and others. Most browsers have implemented measures to block cookies in iframe contexts that |
unatasha8
reviewed
Aug 25, 2025
| @@ -5,12 +5,26 @@ sidebar_label: Troubleshooting iframes | |||
| --- | |||
|
|
|||
| Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe | |||
| injection, iframe phishing, and many others. | |||
| injection, iframe phishing, and many others. Most browsers have implemented measures to block cookies in iframe contexts, which | |||
| breaks authentication, CSRF-prevention, and sessions. | |||
There was a problem hiding this comment.
Suggested change
| breaks authentication, CSRF-prevention, and sessions. | |
| break authentication, CSRF-prevention, and sessions. |
unatasha8
reviewed
Aug 25, 2025
| [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that blocks third-party cookies | ||
| by default in iframe contexts, which breaks authentication, CSRF-prevention, and sessions. Chrome is planning on rolling out the | ||
| same changes in 2024. | ||
| - Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that |
There was a problem hiding this comment.
Suggested change
| - Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that | |
| - Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) which |
unatasha8
reviewed
Aug 25, 2025
| blocks third-party cookies by default. | ||
| - Firefox has implemented | ||
| [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) | ||
| by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking. |
There was a problem hiding this comment.
Suggested change
| by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking. | |
| which gives third-party cookies a separate cookie jar per site by default, preventing cross-site tracking. |
unatasha8
reviewed
Aug 25, 2025
| - Firefox has implemented | ||
| [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) | ||
| by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking. | ||
| - Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party |
There was a problem hiding this comment.
Suggested change
| - Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party | |
| - Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set Google Chrome to block all third-party |
unatasha8
reviewed
Aug 25, 2025
| [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) | ||
| by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking. | ||
| - Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party | ||
| cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about |
There was a problem hiding this comment.
Suggested change
| cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about | |
| cookies in regular mode. As an alternative, Google has implemented FedCM, which Ory supports. Read more about |
unatasha8
reviewed
Aug 25, 2025
| - Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party | ||
| cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about | ||
| [FedCM](../kratos/social-signin/fedcm.mdx). | ||
| - Edge blocks trackers by default. Microsoft are also exploring blocking third-party cookies in Edge by default. |
There was a problem hiding this comment.
Suggested change
| - Edge blocks trackers by default. Microsoft are also exploring blocking third-party cookies in Edge by default. | |
| - Edge blocks trackers by default. Microsoft is also exploring blocking third-party cookies in Edge by default. |
unatasha8
reviewed
Aug 25, 2025
| browsers that iframes can not be used with the Ory Account Experience. | ||
| :::danger | ||
|
|
||
| Authentication flows Login, registration, MFA and other identity flows must not be embedded inside an iframe! Embedding these |
There was a problem hiding this comment.
Suggested change
| Authentication flows Login, registration, MFA and other identity flows must not be embedded inside an iframe! Embedding these | |
| Identity flows, such as authentication, login, registration, and MFA, must not be embedded inside an iframe! Embedding these |
unatasha8
reviewed
Aug 25, 2025
| :::danger | ||
|
|
||
| Authentication flows Login, registration, MFA and other identity flows must not be embedded inside an iframe! Embedding these | ||
| flows increases risk of phising, session hijacking, and click jacking. |
There was a problem hiding this comment.
Suggested change
| flows increases risk of phising, session hijacking, and click jacking. | |
| flows increases the risk of phishing, session hijacking, and clickjacking. |
unatasha8
reviewed
Aug 25, 2025
| ::: | ||
|
|
||
| Ory has implemented HTTP headers (`X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'`) to indicate to | ||
| browsers that iframes can't be used with the Ory Account Experience. |
There was a problem hiding this comment.
Suggested change
| browsers that iframes can't be used with the Ory Account Experience. | |
| browsers that iframes can't be used with the Ory Account Experience self-service user flows. |
unatasha8
reviewed
Aug 25, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related Issue or Design Document
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
Further comments