The Embedded Flow boots an iframe that loads Persona. If you'd like to restrict the allowed domains or URI schemes that are allowed to boot the Embedded Flow, you can configure allowlists in the Integration Section page within the Persona dashboard.
The Persona iframe has several limitations around when embedding is allowed.
- Only inquiry templates with published versions can be embedded. Draft inquiry template versions cannot be embedded.
- Embedding in
localhostis only allowed for Sandbox environments.
- If Allowed Domains are configured, the iframe can only be embedded on pages on these domains. Note that subdomains need to be configured separately.
The Persona flow requires access to the end user's camera for Government ID and Selfie collection. If your integration uses these features, you will need to ensure that the Persona iframe has permissions to request camera access.
There are three types of permissions restrictions: the
Permissions-Policy HTTP header, the iframe
allow attribute, and the iframe
Permissions-Policy controls permissions for all elements on the page which loads the Persona iframe, while the iframe
sandbox attribute controls permissions specifically for the Persona iframe.
Permissions-Policy HTTP header controls Permissions Policy for the entire document. This header is specified by your server, and is not controlled by Persona.
If you use this header, you must ensure that the
camera directive allows Persona's domain. The required configuration may vary based on your exact integration (for example, if you use a custom domain / subdomain).
For more information, see the MDN
allow attribute controls Permissions Policy on a per-iframe level.
The iframe created by the Embedded flow specifies
camera;microphone. This is not configurable.
For more information, see the MDN iframe documentation.
sandbox attribute controls what browser behavior is controllable from within the iframe.
The iframe created by the Embedded Flow specifies several
sandboxAttributes parameter. Note that changing these attributes may affect the functionality of the Inquiry Flow.
Required attributes (cannot be removed):
allow-same-origin: needed to run the Inquiry Flow at all, which is a React single-page app.
allow-scripts: allows the iframed content to retain its origin (withpersona.com), allowing communication with the Persona Inquiry Flow, usage of LocalStorage and cookies, etc.
allow-popups: allows opening new windows. Needed to allow access to Terms of Services and other consent policies.
allow-forms: needed for form submission. Only needed for flows including form inputs.
allow-modals: needed for the
beforeunloadevent, which is used for error reporting.
allow-top-navigation-by-user-activation: allows redirect on completion of the flow. Only needed for flows that want to do a top-level redirect of the parent page upon completion.
Updated 14 days ago