feat: enable iframe use (#4766)

* feat: enable iframe use

* cleanup

* fix mocks

* fix linting

* docs: add iframe usage to solution scenarios configurations

* improve api

* feat(console): security policy

* description

* remove unnecessary line

* disable input button and urls when not enabled

* add image to docs

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>

docs/docs/apis/proto/admin.md

@@ -332,6 +332,30 @@ Get log notification provider
     GET: /notification/provider/log
 
 
+### GetSecurityPolicy
+
+> **rpc** GetSecurityPolicy([GetSecurityPolicyRequest](#getsecuritypolicyrequest))
+[GetSecurityPolicyResponse](#getsecuritypolicyresponse)
+
+Get the security policy
+
+
+
+    GET: /policies/security
+
+
+### SetSecurityPolicy
+
+> **rpc** SetSecurityPolicy([SetSecurityPolicyRequest](#setsecuritypolicyrequest))
+[SetSecurityPolicyResponse](#setsecuritypolicyresponse)
+
+set the security policy
+
+
+
+    PUT: /policies/security
+
+
 ### GetOrgByID
 
 > **rpc** GetOrgByID([GetOrgByIDRequest](#getorgbyidrequest))
@@ -2739,6 +2763,23 @@ This is an empty request
 
 
 
+### GetSecurityPolicyRequest
+This is an empty request
+
+
+
+
+### GetSecurityPolicyResponse
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| policy |  zitadel.settings.v1.SecurityPolicy | - |  |
+
+
+
+
 ### GetSupportedLanguagesRequest
 This is an empty request
 
@@ -4025,6 +4066,29 @@ this is en empty request
 
 
 
+### SetSecurityPolicyRequest
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| enable_iframe_embedding |  bool | states if iframe embedding is enabled or disabled |  |
+| allowed_origins | repeated string | origins allowed to load ZITADEL in an iframe if enable_iframe_embedding is true |  |
+
+
+
+
+### SetSecurityPolicyResponse
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| details |  zitadel.v1.ObjectDetails | - |  |
+
+
+
+
 ### SetUpOrgRequest
 
 

docs/docs/apis/proto/settings.md

@@ -106,6 +106,19 @@ title: zitadel/settings.proto
 
 
 
+### SecurityPolicy
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| details |  zitadel.v1.ObjectDetails | - |  |
+| enable_iframe_embedding |  bool | states if iframe embedding is enabled or disabled |  |
+| allowed_origins | repeated string | origins allowed to load ZITADEL in an iframe if enable_iframe_embedding is true |  |
+
+
+
+
 ### TwilioConfig
 
 

docs/docs/guides/solution-scenarios/configurations.mdx

@@ -74,3 +74,38 @@ Go to the "Advanced" section, per default login with email address should be all
 
 ![Login Policy Advanced Setting: Disable email for login](/img/guides/scenarios/login_policy_advanced.png)
 
+## Embedding ZITADEL in an iFrame
+
+To maximise the security during login and in the Console UI, ZITADEL follows security best practices by setting a
+Content-Security-Policy (CSP) and X-Frame-Options:
+
+```
+Content-Security-Policy: frame-ancestors 'none'
+X-Frame-Options: deny
+```
+
+These settings block the use of serving it in an iframe to prevents clickjacking attacks.
+
+### Enable iFrame embedding
+
+:::caution
+This change can make you vulnerable to clickjacking attacks.
+:::
+
+If your applications need to load ZITADEL inside an iframe, e.g. for a silent login or silent refresh, you can enable the use on an instance level.
+
+1. Navigate to the Instance Settings.
+2. Click on the Security Policy tab.
+3. Enable the "Allow IFrame" and add the host(s) you load the iframe from.
+
+You can add further hosts later on.
+
+![Security Settings: Allow iFrame](/img/guides/scenarios/security_policy.png)
+
+This will change the CSP to the following:
+
+```
+Content-Security-Policy: frame-ancestors https://custom-domain.com
+```
+
+and remove the X-Frame-Options header.