The Community is hosting an End of Summer sweepstakes! Participants must complete tasks to earn tickets that will enter them with a chance to win a free year of Constant Contact and other great prizes!*
*No Purchase Necessary. For Official Rules, visit here. Constant Contact’s End of Summer 2020 Sweepstakes ends on October, 20, 2020 at 11:50 PM EST.

change in OAuth flow to disallow framing using X-Frame-Options header

Occasional Organizer

change in OAuth flow to disallow framing using X-Frame-Options header

Within the past few days, my web-app integrations' authentication flows have stopped working, because I'm presenting them in an iframe and suddenly started sending the X-Frame-Options header as SAMEORIGIN.


Now I *could* just use a separate window, but this is really a much inferior user experience.  It's confusing for them to have to deal with the window (where did it go, have I blocked popup windows, what do I do with it when I've completed the authentication, on and on).


Was it intentional for Constant Contact to suddenly disallow framing of the authentication flow?  Maybe I'm just being dense, but I don't understand why this would be positive in any way.  Would it be possible to revert this change, please?


Eliot Smyrl

Twist & Twirl Consulting

Honored Contributor

Re: change in OAuth flow to disallow framing using X-Frame-Options header



After some initial investigation, it looks like the cause of the change you've seen was an update in a background service that's involved in our login process. As such, one of the steps for the login flow is now returning this header that's preventing the framing. While I'm looking to get some clarification on this from the team that owns that service, I can say that we've been looking at blocking the ability to frame our login for some time, as it does present a possible security risk by allowing people to embed the login.


While I do hope to have some additional info for you soon, I would strongly suggest not relying on an iframed flow for a long-term solution.



Elijah G.
API Support Engineer
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Constant Contact 2020 End of Summer Community Sweepstakes!

The Constant Contact User Community is hosting a sweepstakes. The more you participate, the more chances you have to win! Read on to learn more...

Read More