[keycloak-user] Integrate the Keycloak Login view in my own html with iframe

Bill Burke bburke at redhat.com
Mon Feb 23 07:56:51 EST 2015


Yes, look under Security Defenses tab.  X-Frame-Options is actually 
replaced by Content-Security-Policy

On 2/23/2015 7:53 AM, Stian Thorgersen wrote:
> Do we set x-frame-options? The OAuth spec recommends it, http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Monday, February 23, 2015 1:50:34 PM
>> Subject: Re: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe
>>
>> On 2/23/2015 7:45 AM, Stian Thorgersen wrote:
>>> We don't support using an iframe as it opens potential exploits
>>> (clickjacking, csrf, xss).
>>>
>>
>> Actually we might be able to.  Currently we restrict this possibility by
>> setting the Content-Security-Policy header. The value of this header is
>> configurable in the admin console.  IIRC, you can set up trusted origins
>> with this header.  Don't remember.  Or you could just shut it off.
>>
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list