Embedded apps
Websites displayed in iframes require special consideration in order to function properly. Keep in mind the following when implementing your embedded app, an app displayed within iframes in Aurora.
- Beware X-Frame-Options and frame-ancestors
If your servers return theX-Frame-Options
header, we will be unable to embed it in Aurora. If you chose to use theframe-ancestors
Content Security Policy we recommend setting the value tohttps://*.aurorasolar.com
. Be sure to also consider these headers for flows that may leave your core application such as OAuth-based login flows. - Cookies require special care
If you are creating user sessions via cookies you'll need to adjust your policy toSameSite=None; Secure
to allow your cookie to be read in the third-party context created by the iframe. When making this change, take care to consider additional avenues for CSRF attacks. In general, Aurora recommends using local storage for managing sessions if possible. - Careful with caching
Browsers tend to aggressively cache the content of iframes. We recommend setting an appropriateCache-control
header or implementing a cache busting scheme for any resources your application loads. - Refresh temporary keys regularly
Temporary keys are only valid for 13 hours. We recommend that these keys are re-generated each time your iframe is loaded, even if the user has an existing session, to avoid unexpected authentication failures due to inactivity.
Updated 8 months ago