From dc5d2e6679d415a02219a1641c5373bbbf7d0740 Mon Sep 17 00:00:00 2001 From: vinckr Date: Fri, 1 Aug 2025 09:52:11 +0200 Subject: [PATCH 1/4] chore: update iframe doc --- docs/troubleshooting/30_iframes.mdx | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/docs/troubleshooting/30_iframes.mdx b/docs/troubleshooting/30_iframes.mdx index f88f92d98..79bec787b 100644 --- a/docs/troubleshooting/30_iframes.mdx +++ b/docs/troubleshooting/30_iframes.mdx @@ -5,12 +5,26 @@ sidebar_label: Troubleshooting iframes --- Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe -injection, iframe phishing, and many others. +injection, iframe phishing, and many others. Most browsers have implemented measures to block cookies in iframe contexts, which +breaks authentication, CSRF-prevention, and sessions. -Safari has additionally implemented a feature called -[Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that blocks third-party cookies -by default in iframe contexts, which breaks authentication, CSRF-prevention, and sessions. Chrome is planning on rolling out the -same changes in 2024. +- Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that + blocks third-party cookies by default. +- Firefox has implemented + [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) + by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking. +- Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party + cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about + [FedCM](../kratos/social-signin/fedcm.mdx). +- Edge blocks trackers by default. Microsoft are also exploring blocking third-party cookies in Edge by default. +- Brave browser blocks third-party cookies by default. -We therefore discourage use of iframes when using Ory and have implemented HTTP headers (`X-Frame-Options: DENY`) indicating to -browsers that iframes can not be used with the Ory Account Experience. +:::danger + +Authentication flows Login, registration, MFA and other identity flows must not be embedded inside an iframe! Embedding these +flows increases risk of phising, session hijacking, and click jacking. + +::: + +Ory has implemented HTTP headers (`X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'`) to indicate to +browsers that iframes can't be used with the Ory Account Experience. From f6cd8f7ade0db515a9e61da1ff82d1f9a23caf72 Mon Sep 17 00:00:00 2001 From: Vincent Date: Tue, 26 Aug 2025 13:56:03 +0200 Subject: [PATCH 2/4] chore: apply suggestions from code review Co-authored-by: unatasha8 --- docs/troubleshooting/30_iframes.mdx | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/troubleshooting/30_iframes.mdx b/docs/troubleshooting/30_iframes.mdx index 79bec787b..563441a7a 100644 --- a/docs/troubleshooting/30_iframes.mdx +++ b/docs/troubleshooting/30_iframes.mdx @@ -5,26 +5,26 @@ sidebar_label: Troubleshooting iframes --- Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe -injection, iframe phishing, and many others. Most browsers have implemented measures to block cookies in iframe contexts, which -breaks authentication, CSRF-prevention, and sessions. +injection, iframe phishing, and others. Most browsers have implemented measures to block cookies in iframe contexts that +break authentication, CSRF-prevention, and sessions. -- Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) that +- Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) which blocks third-party cookies by default. - Firefox has implemented [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) - by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking. -- Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party + which gives third-party cookies a separate cookie jar per site by default, preventing cross-site tracking. +- Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set Google Chrome to block all third-party cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about [FedCM](../kratos/social-signin/fedcm.mdx). -- Edge blocks trackers by default. Microsoft are also exploring blocking third-party cookies in Edge by default. +- Edge blocks trackers by default. Microsoft is also exploring blocking third-party cookies in Edge by default. - Brave browser blocks third-party cookies by default. :::danger -Authentication flows Login, registration, MFA and other identity flows must not be embedded inside an iframe! Embedding these -flows increases risk of phising, session hijacking, and click jacking. +Identity flows, such as authentication, login, registration, and MFA, must not be embedded inside an iframe! Embedding these +flows increases the risk of phishing, session hijacking, and clickjacking. ::: Ory has implemented HTTP headers (`X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'`) to indicate to -browsers that iframes can't be used with the Ory Account Experience. +browsers that iframes can't be used with the Ory Account Experience self-service user flows. From 49317a3f0ae26d7f513f6b6ba02a556b0b0cbf5f Mon Sep 17 00:00:00 2001 From: Vincent Date: Tue, 26 Aug 2025 13:56:24 +0200 Subject: [PATCH 3/4] chore: apply suggestions from code review Co-authored-by: unatasha8 --- docs/troubleshooting/30_iframes.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/troubleshooting/30_iframes.mdx b/docs/troubleshooting/30_iframes.mdx index 563441a7a..f08fc010a 100644 --- a/docs/troubleshooting/30_iframes.mdx +++ b/docs/troubleshooting/30_iframes.mdx @@ -14,7 +14,7 @@ break authentication, CSRF-prevention, and sessions. [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) which gives third-party cookies a separate cookie jar per site by default, preventing cross-site tracking. - Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set Google Chrome to block all third-party - cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about + cookies in regular mode. As an alternative, Google has implemented FedCM, which Ory supports. Read more about [FedCM](../kratos/social-signin/fedcm.mdx). - Edge blocks trackers by default. Microsoft is also exploring blocking third-party cookies in Edge by default. - Brave browser blocks third-party cookies by default. From 350caec53ecd35029c4f860d57f64eaf4d58a0f5 Mon Sep 17 00:00:00 2001 From: vinckr Date: Mon, 1 Sep 2025 09:11:06 +0200 Subject: [PATCH 4/4] chore: format --- docs/troubleshooting/30_iframes.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/troubleshooting/30_iframes.mdx b/docs/troubleshooting/30_iframes.mdx index f08fc010a..225bc8762 100644 --- a/docs/troubleshooting/30_iframes.mdx +++ b/docs/troubleshooting/30_iframes.mdx @@ -5,24 +5,24 @@ sidebar_label: Troubleshooting iframes --- Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe -injection, iframe phishing, and others. Most browsers have implemented measures to block cookies in iframe contexts that -break authentication, CSRF-prevention, and sessions. +injection, iframe phishing, and others. Most browsers have implemented measures to block cookies in iframe contexts that break +authentication, CSRF-prevention, and sessions. - Safari has implemented [Intelligent Tracking Prevention](https://webkit.org/blog/7675/intelligent-tracking-prevention/) which blocks third-party cookies by default. - Firefox has implemented [Total Cookie Protection](https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/) which gives third-party cookies a separate cookie jar per site by default, preventing cross-site tracking. -- Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set Google Chrome to block all third-party - cookies in regular mode. As an alternative, Google has implemented FedCM, which Ory supports. Read more about +- Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set Google Chrome to block all + third-party cookies in regular mode. As an alternative, Google has implemented FedCM, which Ory supports. Read more about [FedCM](../kratos/social-signin/fedcm.mdx). - Edge blocks trackers by default. Microsoft is also exploring blocking third-party cookies in Edge by default. - Brave browser blocks third-party cookies by default. :::danger -Identity flows, such as authentication, login, registration, and MFA, must not be embedded inside an iframe! Embedding these -flows increases the risk of phishing, session hijacking, and clickjacking. +Identity flows, such as authentication, login, registration, and MFA, must not be embedded inside an iframe! Embedding these flows +increases the risk of phishing, session hijacking, and clickjacking. :::