When attempting to render New Universal Login within an iframe, the following error appears:

Framing 'https://<domain>.eu.auth0.com/' violates the following Content Security Policy directive: "frame-ancestors 'none'". The request has been blocked.

• New Universal Login
• Clickjack Protection

This behavior is expected. New Universal Login sets the Content-Security-Policy response header on the /u/login and /u/login/identifier endpoints to frame-ancestors 'none'. This acts as a security measure to prevent clickjacking. Refer to Clickjacking Protection for Universal Login for more information.

Use one of the following options to resolve this issue.

NOTE: These approaches may open the application to potential clickjack attacks.

• Switch to Classic Login: In the Dashboard, select Tenant Settings > Advanced settings > Migrations and disable Clickjack protection.

Implement a reverse proxy: Switch the custom domain to self-managed and implement a reverse proxy to switch the headers on the request.

• NOTE: This is an advanced topic. A professional services engagement may be required if assistance is needed.