@maxime-guitet Hi , I was facing a similar issue when I was trying to load the self-service account page in Iframe in our application.
Our setup was same as yours. Fusion auth hosted on auth.domain.com
and the iframe is hosted on app.domain.com
. So they both share the same top level domain. The issue regarding the X-Frame-Options: Deny being not available in every request was solved by adding referrer policy attribute to the iframe tag.
The final iframe code looks like below
<iframe
src="https://auth.domain.com/account/?client_id=<your id for application>"
referrerpolicy="strict-origin-when-cross-origin"></iframe>
Hope this helps!
Regards
Vatsal