Embedded apps

Websites displayed in iframes require special consideration in order to function properly. Keep in mind the following when implementing your embedded app, an app displayed within iframes in Aurora.

• Beware X-Frame-Options and frame-ancestors
  If your servers return the X-Frame-Options header, we will be unable to embed it in Aurora. If you chose to use the frame-ancestors Content Security Policy we recommend setting the value to https://*.aurorasolar.com. Be sure to also consider these headers for flows that may leave your core application such as OAuth-based login flows.
• Cookies require special care
  If you are creating user sessions via cookies you'll need to adjust your policy to SameSite=None; Secure to allow your cookie to be read in the third-party context created by the iframe. When making this change, take care to consider additional avenues for CSRF attacks. In general, Aurora recommends using local storage for managing sessions if possible.
• Careful with caching
  Browsers tend to aggressively cache the content of iframes. We recommend setting an appropriate Cache-control header or implementing a cache busting scheme for any resources your application loads.
• Refresh temporary keys regularly
  Temporary keys are only valid for 13 hours. We recommend that these keys are re-generated each time your iframe is loaded, even if the user has an existing session, to avoid unexpected authentication failures due to inactivity.