External domains must now be registered with Twilio when embedding Flex within iframes

All Flex applications are now required to register their external domains when flex.twilio.com is loaded within an iframe. This restriction is now enforced for new applications. Existing Flex applications have until May 3, 2021 to confirm their registered domains.

To prevent potential phishing attacks or abuse by malicious third parties, we are applying a Content Security Policy to flex.twilio.com that restricts Flex from being rendered in an iframe by untrusted domains. To continue using Flex within an iframe, including through Salesforce and Zendesk integrations, admins must register their external domains on the Flex Settings page. We have pre-populated this list based on your current application activity.

Refer to our documentation for more details.