RE: Why can't I disable X-Frame-Options or use CSP instead?

Thank you for the feedback, @dan !

I was able to add URLs via "Applications" -> "My Application" -> "OAuth" which made the DENY go away. However, now, no one can log in. It just redirects back to the login. I am not sure if it is the same issue as this since it does not go through an HTTP url.

Although I am testing from a browser, the other issue is that the frame is embedded in a desktop application. It doesn't use a an "http" origin url which means I cannot add it as an authorized origin.

Would this mean proxy is the only option we have?

Can I define my own security policy regarding what frames my auth can run in?

Is X-frame-options set on FusionAuth's web server or is it set inside the app? When I request the root auth page, it shows the header set to deny.

I've read the CORS page and seen a possibly related issue (https://github.com/FusionAuth/fusionauth-issues/issues/335). I'd rather set a trusted domain than have to rewrite a 3rd party tool that uses our app in an iframe. I don't see anything that says this is possible.

I appreciate any help with this matter!

thanks!