Skip to contentSkip to navigationSkip to topbar
On this page

Securely embed Flex as an iframe


(information)

Info

Starting March 3rd, 2021, all new Flex applications are required to register their valid URLs under Twilio Flex's Allowed URLs list in order to embed Flex as an iframe.

Starting June 29th, 2021, all Flex applications created before March 3rd, 2021 are required to register their valid URLs under Twilio Flex's Allowed URLs list in order to embed Flex as an iframe.

We are updating our Content Security Policy(link takes you to an external page) (CSP) to be restricted to Twilio registered URLs. This also applies to Salesforce and Zendesk integrations.

Our security policy will help guard against cross-site scripting (XSS)(link takes you to an external page) and other content injection attacks, such as click-jacking(link takes you to an external page). Instead of blindly trusting everything that a server delivers, we have implemented a policy that lets you add a list of sources of trusted content. Your allowed URL(s) will be added to a CSP header as a valid frame-ancestor(link takes you to an external page), along with a report-uri directive on authenticated Flex requests. This tells your browser to report an error when unregistered URLs are attempting to iframe flex.twilio.com.


Embed Flex as an iframe

embed-flex-as-an-iframe page anchor

These instructions only apply to our hosted flex.twilio.com platform.

You can register your domains by accessing the Flex Settings page(link takes you to an external page) of your application on Twilio Console.

If you need to add more URL(s) to your Allowed URLs list, review the URL Registration Rules. In order to test the setting, click Save, and refresh your external application.

new-flex-csp.

You should be able to log into your Flex application if the external URL has been registered correctly. Note that unauthenticated requests are redirected to the Flex login page.

(warning)

Warning

If you run into issues with embedding Flex as an iFrame, be sure to add your Salesforce lightning URL in the Twilio Console Allowed URLs(link takes you to an external page) section for Flex, e.g: https://<SFDCdomain>.lightning.force.com and enable third party cookies in your browser.

(information)

Info

For Flex applications created before March 10th, 2021, we have prepopulated the allowed URLs list for you based on your application activity. Review and confirm that they are the right URL(s).

URL Registration Rules

url-registration-rules page anchor

When adding your Allowed URL(s) list, keep the following rules in mind:

http://contactcenter.example.com

https://contactcenter.example.com

http://localhost:8000
Full URLs are required, without any trailing slashes. For local development, register localhost:<port> prefixed by http or https depending on your configuration.
*.example.comWildcards are not supported
https://example.com/supportpageURL paths are not supported

Need some help?

Terms of service

Copyright © 2024 Twilio Inc.