diff --git a/docs/troubleshooting/30_iframes.mdx b/docs/troubleshooting/30_iframes.mdx index f88f92d98..79bec787b 100644 --- a/docs/troubleshooting/30_iframes.mdx +++ b/docs/troubleshooting/30_iframes.mdx @@ -5,12 +5,26 @@ sidebar_label: Troubleshooting iframes --- Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe -injection, iframe phishing, and many others. +injection, iframe phishing, and many others. Most browsers have implemented measures to block cookies in iframe contexts, which +breaks authentication, CSRF-prevention, and sessions. -Safari has additionally implemented a feature called -[Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that blocks third-party cookies -by default in iframe contexts, which breaks authentication, CSRF-prevention, and sessions. Chrome is planning on rolling out the -same changes in 2024. +- Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that + blocks third-party cookies by default. +- Firefox has implemented + [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) + by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking. +- Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party + cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about + [FedCM](../kratos/social-signin/fedcm.mdx). +- Edge blocks trackers by default. Microsoft are also exploring blocking third-party cookies in Edge by default. +- Brave browser blocks third-party cookies by default. -We therefore discourage use of iframes when using Ory and have implemented HTTP headers (`X-Frame-Options: DENY`) indicating to -browsers that iframes can not be used with the Ory Account Experience. +:::danger + +Authentication flows Login, registration, MFA and other identity flows must not be embedded inside an iframe! Embedding these +flows increases risk of phising, session hijacking, and click jacking. + +::: + +Ory has implemented HTTP headers (`X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'`) to indicate to +browsers that iframes can't be used with the Ory Account Experience.