Please add support for configuring HTTP response headers for the WorkOS Hosted UI, specifically:
Content-Security-Policy (especially frame-ancestors)X-Frame-Options
We are using the WorkOS Hosted UI for OAuth flows, where users are presented with a consent screen during the authorization process.
Our goal is to embed this consent screen inside an <iframe> within our own application. However, the current response headers prevent the Hosted UI from being framed, and there is no way to configure or override this behavior.
Provide a way to configure framing-related headers for the Hosted UI.
Specifically:
- Ability to define allowed origins via
Content-Security-Policy: frame-ancestors
- Ability to disable or control
X-Frame-Options so it does not block embedding from approved origins
This should be an explicit opt-in feature with a strict allowlist of trusted origins to avoid introducing clickjacking risks.
Please add support for configuring HTTP response headers for the WorkOS Hosted UI, specifically:
Content-Security-Policy(especiallyframe-ancestors)X-Frame-OptionsWe are using the WorkOS Hosted UI for OAuth flows, where users are presented with a consent screen during the authorization process.
Our goal is to embed this consent screen inside an
<iframe>within our own application. However, the current response headers prevent the Hosted UI from being framed, and there is no way to configure or override this behavior.Provide a way to configure framing-related headers for the Hosted UI.
Specifically:
Content-Security-Policy: frame-ancestorsX-Frame-Optionsso it does not block embedding from approved originsThis should be an explicit opt-in feature with a strict allowlist of trusted origins to avoid introducing clickjacking risks.