Skip to main content
Version: 1.7.3

Frame Ancestor

The frame-ancestors directive is part of the Content Security Policy (CSP), a security standard designed to prevent various types of attacks such as Cross-Site Scripting (XSS) and clickjacking. This directive controls whether a web page can be embedded in an <iframe>, <object>, <embed>, or <applet> element, specifying which parent frames can load the content.

How Frame Ancestors Works

    The frame-ancestors directive specifies one or more allowed sources (origins or schemes) that are permitted to embed the content. If the embedding source does not match any of the allowed sources, the browser will block the attempt to embed the content. This mechanism helps enhance security by preventing unauthorized sites from embedding your content.

How to Configure the Frame Ancestor in Drop-In UI

    To ensure the security of the W9 Drop-In UI, the frame-ancestors directive can be configured as follows:

  • Requesting a Transient Token:
        When requesting a transient token, you need to specify the origin sites that are authorized to use the W9 URL. These origins are defined in the CSP, and the sites that can embed the W9 Drop-In UI are determined.

  • Allowed Origins:
        Only the specified origins will be allowed when the W9 Drop-In JS is loaded with the transient token. If no origins are specified, the site will not be able to load the W9 Drop-In.

  • Passing the Transient Token:
        After defining the allowed origins in the transient token, pass this token when loading the W9 Drop-In SDK JavaScript. The iframe URL will be sent with the CSP policy as part of the response.

  • Enforcing CSP Policy:
        When the iframe URL is loaded, the CSP policy will check if the domain is allowed. If the domain is not in the list of allowed origins, the loading will be restricted.

  • Token Validity and Expiration:
        Once the URL is requested within 15 minutes of the transient token being issued, the frame-ancestors directive will be set and remain valid for a day. After this period, the URL will be restricted, requiring a new transient token to be requested for further access.

    By following these steps, you ensure that the W9 Drop-In UI is securely embedded only by trusted origins, preventing unauthorized access and enhancing the security of your application.