Content Security Policy blocks silent authentication iframes

6/10 Medium

When using ssoSilent flow, MSAL loads the redirect URI in an invisible iframe. Content security policies or HTTP headers on the redirect URI page can block this iframe from loading, preventing silent SSO.

MSAL.js CSP OAuth 2.0

Sources

microsoft-authentication-library-for-js/lib/msal-browser/FAQ.md at dev · AzureAD/microsoft-authentication-library-for-js

Collection History

Query: “What are the most common pain points with MSAL for developers in 2025?”4/7/2026

There is a content security policy or HTTP header blocking the iframe from loading your redirect URI page. When using ssoSilent, the service will attempt to load your redirect URI page in an invisible embedded iframe.

Created: 4/7/2026Updated: 4/7/2026