Keycloak has several iframes that are embedded into pages of the relying party, for security reasons these iframes should only be allowed to be embedded by trusted origins configured by the user. The specific iframes in question are as follows:

• The Session Status iframe, used to implement the OpenID Connect Session Management spec.
• The third-party cookies iframes, used to detect if a user is able to use the cookies of the Keycloak server in a third-party context.

For these resources the frame-ancestors Content Security Policy directive should be set so that only valid origins will be able to embed them. This can be determined as follows:

1. The Keycloak JS adapter embeds the iframes with the referrerpolicy set to strict-origin, which will only send the origin in the Referer header when the protocol security level stays the same (HTTPS→HTTPS),
2. The Referer header is read by the Keycloak server from the HTTP request for the iframe, and validated against the configured Web Origins of the clients in the realm (see the existing code for the Session Status iframe for reference).
3. If any client is found with a Web Origin that matches the Referer header, the frame-ancestors directive should be set to the host-source of the referrer, otherwise the directive should be set to none.

There is a valid reason that we do not currently implement this functionality. For step 2, it is required to iterate over all clients in the realm, as at that point the client id is not know. This can lead to performance issues where a realm contains many clients. As part of this issue a solution must be implemented to mitigate any performance issues that could lead to a denial of service attack.

Recommended reading

• Referer header (MDN)
• Referer header: Privacy and security concerns (MDN)
• Referrer-Policy header (MDN)
• Iframe referrerpolicy attribute (MDN)
• Content Security Policy: frame-ancestors directive (MDN)