x-frame-options in IdP

Cantor, Scott cantor.2 at osu.edu
Wed Aug 17 19:29:33 UTC 2022

> but it seems an unnecessary/unwarranted reduction in the IdP’s security
> posture.

I suppose there's an element of that, but only in the sense that allowing/normalizing framed login makes verification of the form impossible, but practically speaking users can't do that anyway. EV certs dying and mobile browsers being terrible put an end to any hope of actually validating the identity of servers.

The reason for the default is third party cookies are dying, and without them, you simply can't do this. And even now, you can't force non-enterprise browsers to just do this because you want them to.

It's setting everybody up for a support nightmare, and the default is there to make it clear we will not ever support framing the page, and to do so is to take on the job of dealing with all the complaints from users with TPCs blocked.

-- Scott

More information about the users mailing list