Re: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe

Do we set x-frame-options? The OAuth spec recommends it, http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13 ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-user(a)lists.jboss.org > Sent: Monday, February 23, 2015 1:50:34 PM > Subject: Re: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe > > On 2/23/2015 7:45 AM, Stian Thorgersen wrote: >> We don't support using an iframe as it opens potential exploits >> (clickjacking, csrf, xss). >> > > Actually we might be able to. Currently we restrict this possibility by > setting the Content-Security-Policy header. The value of this header is > configurable in the admin console. IIRC, you can set up trusted origins > with this header. Don't remember. Or you could just shut it off. > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >