The Embedded Flow boots an iframe that loads Persona. If you'd like to restrict the allowed domains or URI schemes that are allowed to boot the Embedded Flow, you can configure allowlists in the Integration Section page within the Persona dashboard.
The Persona iframe has several limitations around when embedding is allowed.
- Only inquiry templates with published versions can be embedded. Draft inquiry template versions cannot be embedded.
- Embedding in
localhostis only allowed for Sandbox environments.
- If Allowed Domains are configured, the iframe can only be embedded on pages on these domains. Note that subdomains need to be configured separately.
The iframe created by the Embedded Flow specifies several
allow-same-origin: needed to run the Inquiry Flow at all, which is a React single-page app.
allow-scripts: allows the iframed content to retain its origin (withpersona.com), allowing communication with the Persona Inquiry Flow, usage of LocalStorage and cookies, etc.
allow-popups: allows opening new windows. Needed to allow access to Terms of Services and other consent policies.
allow-forms: needed for form submission. Only needed for flows including form inputs.
allow-modals: needed for beforeunload, which is used for error reporting.
allow-top-navigation-by-user-activation: allows redirect on completion.
Optional attributes can be removed with the
sandboxAttributes parameter. Note that this may affect the functionality of the Inquiry Flow.
Updated 4 months ago