Secure Iframing

Using authentication forms in iframes needs to be done securely in any Authentication Service.

Not handling iframes correctly can pose significant security risks. Since the iframe is implicitly trusted by the user, but can serve up content from a different domain, the service may be vulnerable to a number of threats, and may make other existing problems (such as XSS issues), even worse.

But iframes can be very useful and are sometimes required. An iframe can make the authentication feel like an integral part of the website it is authenticating for, and many sites need to be able to show an overlay on the website with the authentication rather than redirecting.

Therefore, the Curity Identity Server provides a secure iframing mechanism. Only trusted sites are allowed to use an iframe with the pages served by the Curity Identity Server.


In order to support iframes, the service-provider or the client needs to be setup with the correct origins (sites) that will do the iframing. Only these exact domains will be allowed to frame the page.

Any other page trying to frame the page will cause the page to break out of the iframe and take over as a precaution.