Refused to display login-status-iframe.html and X-Frame-Options
964 views
Skip to first unread message
l.sc...@gmail.com
Jan 23, 2021, 4:17:27 PM1/23/21
to Keycloak User
Hello,
I'm trying to setup a new Angular app (code flow) using the angular-oauth2-oidc library, which tries to automatically setup the silent refresh and session status monitoring. The app is at http://localhost:4200 and Keycloak 12.0.2 is at https://login.domain.com/auth.
The login is working fine, but in the browser I keep getting the following error:
"Refused to display https://login.domain.com/auth/realms/myrealm/protocol/openid-connect/login-status-iframe.html because it set 'X-Frame-Options' to 'sameorigin'."
Now, I understand why I get this and I actually have sameorigin as the value of the
realms' Security Defenses > X-Frame-Options, so this error does not surprise me. However I'm confused about how to correctly set it. According to RFC7034, the ALLOW-FROM header only allows a single value for the X-Frame-Options header.
realms' Security Defenses > X-Frame-Options, so this error does not surprise me. However I'm confused about how to correctly set it. According to RFC7034, the ALLOW-FROM header only allows a single value for the X-Frame-Options header.
In my scenario however I will have a few applications on different hosts which will all share the same Keycloak instance and realm
(the docs at [1] don't say anything about this aspect).
It is also puzzling that the iframe policy for the entire Keycloak realm applies to the login-status-iframe.html page - I would have expected a per-client setting, in order to use the Allowed Origins options set in the client config.
What am I missing? How do I enable the iframe display for multiple hosts?
Thanks in advance,
Luca
Reply all
Reply to author
Forward
0 new messages