change in OAuth flow to disallow framing using X-Frame-Options header
Within the past few days, my web-app integrations' authentication flows have stopped working, because I'm presenting them in an iframe and oauth.constantcontact.com suddenly started sending the X-Frame-Options header as SAMEORIGIN.
Now I *could* just use a separate window, but this is really a much inferior user experience. It's confusing for them to have to deal with the window (where did it go, have I blocked popup windows, what do I do with it when I've completed the authentication, on and on).
Was it intentional for Constant Contact to suddenly disallow framing of the authentication flow? Maybe I'm just being dense, but I don't understand why this would be positive in any way. Would it be possible to revert this change, please?
Re: change in OAuth flow to disallow framing using X-Frame-Options header
After some initial investigation, it looks like the cause of the change you've seen was an update in a background service that's involved in our login process. As such, one of the steps for the login flow is now returning this header that's preventing the framing. While I'm looking to get some clarification on this from the team that owns that service, I can say that we've been looking at blocking the ability to frame our login for some time, as it does present a possible security risk by allowing people to embed the login.
While I do hope to have some additional info for you soon, I would strongly suggest not relying on an iframed flow for a long-term solution.