[keycloak-user] Integrate the Keycloak Login view in my own html with iframe

Stian Thorgersen stian at redhat.com
Mon Feb 23 07:53:38 EST 2015


Do we set x-frame-options? The OAuth spec recommends it, http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, February 23, 2015 1:50:34 PM
> Subject: Re: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe
> 
> On 2/23/2015 7:45 AM, Stian Thorgersen wrote:
> > We don't support using an iframe as it opens potential exploits
> > (clickjacking, csrf, xss).
> >
> 
> Actually we might be able to.  Currently we restrict this possibility by
> setting the Content-Security-Policy header. The value of this header is
> configurable in the admin console.  IIRC, you can set up trusted origins
> with this header.  Don't remember.  Or you could just shut it off.
> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


More information about the keycloak-user mailing list