DocumentationAPI Reference
DocumentationAPI ReferenceStatus

Security

Embedding the Persona iframe

The Embedded Flow boots an iframe that loads Persona. If you'd like to restrict the allowed domains or URI schemes that are allowed to boot the Embedded Flow, you can configure allowlists in the Integration Section page within the Persona dashboard.

The Persona iframe has several limitations around when embedding is allowed.

  1. Only inquiry templates with published versions can be embedded. Draft inquiry template versions cannot be embedded.
  2. Embedding in localhost is only allowed for Sandbox environments.
  3. If Allowed Domains are configured, the iframe can only be embedded on pages on these domains. Note that subdomains need to be configured separately.

iframe sandbox attributes

The iframe created by the Embedded Flow specifies several sandbox attributes.

Required attributes:

  • allow-same-origin: needed to run the Inquiry Flow at all, which is a React single-page app.
  • allow-scripts: allows the iframed content to retain its origin (withpersona.com), allowing communication with the Persona Inquiry Flow, usage of LocalStorage and cookies, etc.
  • allow-popups: allows opening new windows. Needed to allow access to Terms of Services and other consent policies.

Optional attributes:

  • allow-forms: needed for form submission. Only needed for flows including form inputs.
  • allow-modals: needed for beforeunload, which is used for error reporting.
  • allow-top-navigation-by-user-activation: allows redirect on completion.

Optional attributes can be removed with the sandboxAttributes parameter. Note that this may affect the functionality of the Inquiry Flow.

For more information, see the WHATWG HTML standard and the MDN iframe documentation.