Allow configuring CSP frame-ancestors / X-Frame-Options for Hosted UI #70
Description
Please add support for configuring HTTP response headers for the WorkOS Hosted UI, specifically:
Content-Security-Policy(especiallyframe-ancestors)X-Frame-Options
We are using the WorkOS Hosted UI for OAuth flows, where users are presented with a consent screen during the authorization process.
Our goal is to embed this consent screen inside an <iframe> within our own application. However, the current response headers prevent the Hosted UI from being framed, and there is no way to configure or override this behavior.
Provide a way to configure framing-related headers for the Hosted UI.
Specifically:
- Ability to define allowed origins via
Content-Security-Policy: frame-ancestors - Ability to disable or control
X-Frame-Optionsso it does not block embedding from approved origins
This should be an explicit opt-in feature with a strict allowlist of trusted origins to avoid introducing clickjacking risks.