Azure AD B2C Embedded signin is not working in safari

Sahil Shah 51 Reputation points
2023-09-04T14:07:28.0466667+00:00

I have enabled JourneyFraming in custom policy as described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/embedded-login?pivots=b2c-custom-policy

    <UserJourneyBehaviors>
      <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="xxxxx" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
      <JourneyFraming Enabled="true" Sources="https://example-site1.com https://example-2.azurewebsites.net https://www.emaple-3.com https://localhost:50000" />
      <ScriptExecution>Allow</ScriptExecution>
    </UserJourneyBehaviors>

The embedded iframe loads fine in chrome, but fails to load in safari.

Getting following error in console "Invalid 'X-Frame-Options' header encountered when loading <b2c_page_url>: ALLOW-FROM <url> is not a recognized directive. The header will be ignored."

Any idea what could be missing for Safari?

User's image

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,093 questions
{count} votes

Accepted answer
  1. Shweta Mathur 29,781 Reputation points Microsoft Employee
    2023-10-04T06:37:47.66+00:00

    Hi @Sahil Shah

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    User's image

    Thanks!!!

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Shweta Mathur 29,781 Reputation points Microsoft Employee
    2023-09-06T06:30:54.54+00:00

    Hi @Sahil Shah ,

    Thanks for reaching out.

    This is expected as Safari does not support the ALLOW-FROM directive.

    Instead, you can use the Content-Security-Policy header to control framing. You can set the Content-Security-Policy header to frame-ancestors to allow framing from specific sources.

    To allow your Azure AD B2C user interface to be embedded in an iframe, a content security policy Content-Security-Policy and frame options X-Frame-Options must be included in the Azure AD B2C HTTP response headers.

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.