Iframes can pose a significant security risk for authentication services due to many attack vectors such as clickjacking, iframe injection, iframe phishing, and many others.
Safari has additionally implemented a feature called Intelligent Tracking Prevention that blocks third-party cookies by default in iframe contexts, which breaks authentication, CSRF-prevention, and sessions. Chrome is planning on rolling out the same changes in 2024.
We therefore discourage use of iframes when using Ory and have implemented HTTP headers (
X-Frame-Options: DENY) indicating to
browsers that iframes can not be used with the Ory Account Experience.