Troubleshoot iframe related issues

Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe injection, iframe phishing, and many others. Most browsers have implemented measures to block cookies in iframe contexts, which breaks authentication, CSRF-prevention, and sessions.

• Safari has implemented Intelligent Tracking Prevention that blocks third-party cookies by default.
• Firefox has implemented Total Cookie Protection by default. This gives third-party cookies a separate cookie jar per site, preventing cross-site tracking.
• Google Chrome only blocks third-party cookies in Incognito mode by default, but users can set it to block all third-party cookies. As alternative Google implemented FedCM, which Ory supports as well, read more about FedCM.
• Edge blocks trackers by default. Microsoft are also exploring blocking third-party cookies in Edge by default.
• Brave browser blocks third-party cookies by default.

danger

Authentication flows Login, registration, MFA and other identity flows must not be embedded inside an iframe! Embedding these flows increases risk of phising, session hijacking, and click jacking.

Ory has implemented HTTP headers (X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none') to indicate to browsers that iframes can't be used with the Ory Account Experience.