Enhance iframe usage documentation to address cross-origin iframe limitations (#8441)

konstantin-msft · web-flow · commit 7b5a01f81ee1 · 2026-03-19T10:45:25.000-04:00
Enhance iframe usage documentation to address cross-origin iframe
limitations and recommend Nested App Authentication for improved
compatibility
diff --git a/change/@azure-msal-browser-6887f9b2-5ce8-4d14-a03e-41f7e16da509.json b/change/@azure-msal-browser-6887f9b2-5ce8-4d14-a03e-41f7e16da509.json
@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "Document cross-origin iframe limitations for the redirect bridge and recommend NAA [#8441](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8441)",
+  "packageName": "@azure/msal-browser",
+  "email": "kshabelko@microsoft.com",
+  "dependentChangeType": "none"
+}
diff --git a/lib/msal-browser/docs/iframe-usage.md b/lib/msal-browser/docs/iframe-usage.md
@@ -1,12 +1,43 @@
 # Using MSAL in iframed apps
 
+> [!IMPORTANT]
+> **Cross-origin iframes and popup flows:** Starting with Chromium 115+
+> (Chrome, Edge, and other Chromium-based browsers), `BroadcastChannel` (and
+> other storage APIs) are partitioned by top-level site. This means that
+> `loginPopup()` and `acquireTokenPopup()` **will not work** when your
+> application runs in a cross-origin iframe, because the popup opens as its own
+> top-level context with a different storage partition than the iframe — the
+> redirect bridge's `BroadcastChannel` message never arrives. Other browsers
+> are expected to adopt similar partitioning in the future.
+>
+> See the [Redirect Bridge — Cross-Origin Iframe
+> Limitation](./redirect-bridge.md#cross-origin-iframe-limitation) section for
+> full details and recommended alternatives.
+>
+> **Recommended approach:** If the host platform supports it, use
+> [Nested App Authentication (NAA)](./initialization.md#nested-app-configuration)
+> via `createNestablePublicClientApplication`. NAA delegates authentication to
+> the host application at the top level, avoiding cross-window communication
+> entirely. NAA is supported by Microsoft hosts such as **Teams**, **Outlook**,
+> and **Microsoft 365**. For other hosts, use `loginRedirect()` with
+> `system.allowRedirectInIframe: true` as a fallback (subject to IdP iframe
+> restrictions — see below).
+
 By default, MSAL prevents full-frame redirects to **Azure AD** authentication endpoint when an app is rendered inside an iframe, which means you cannot use [redirect APIs](./initialization.md#redirect-apis) for user interaction with the IdP:
 
 - This restriction is imposed since **Azure AD** will refuse to render any prompt requiring user interaction (e.g. **credential entry**, **consent**, **logout** etc.) in an iframe by throwing the `X-FRAME OPTIONS SET TO DENY` [error](https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-x-frame-options-header), a measure taken to prevent [clickjacking attacks](https://owasp.org/www-community/attacks/Clickjacking).
 - Instead, you'll have to rely on MSAL's [popup APIs](./initialization.md#popup-apis) if user interaction is required, and/or silent APIs (`ssoSilent()`, `acquireTokenSilent()`) if user interaction can be avoided.
 - Similarly, you'll have to use the [logoutPopup()](./logout.md#logoutpopup) API for sign-outs (:warning: if your app is using a version of msal-browser older than v2.13, make sure to upgrade and replace the `logout()` API, as it will attempt a full-frame redirect to Azure AD).
 - When using [popup APIs](./initialization.md#popup-apis), you need to take into account any [sandboxing](https://html.spec.whatwg.org/multipage/origin.html#sandboxing) restrictions imposed by the parent app. In particular, the parent app needs to set the `allow-popups` flag when the iframe is sandboxed.
 
+> [!WARNING]
+> Popup APIs from a **cross-origin** iframe are affected by
+> [third-party storage partitioning](#third-party-storage-partitioning-and-the-redirect-bridge),
+> which breaks the redirect bridge's `BroadcastChannel` communication.
+> Silent APIs may also be affected by third-party cookie restrictions.
+> If your app is embedded in a cross-origin iframe, see the callout above for
+> recommended alternatives.
+
 **Azure AD B2C** offers an [embedded sign-in experience](https://docs.microsoft.com/azure/active-directory-b2c/embedded-login), which allows rendering a custom login UI in an iframe. Since MSAL prevents redirect in iframes by default, you'll need to set the [allowRedirectInIframe](./configuration.md#system-config-options) configuration option to **true** in order to make use of this feature. Note that enabling this option for apps on **Azure AD** is not recommended, due to the above restriction.
 
 ## Browser restrictions
@@ -140,3 +171,19 @@ If you would like to minimize communication with IdP that requires user interact
 ## Single sign-out
 
 You can use MSAL.js with a [front-channel logout URI](https://openid.net/specs/openid-connect-backchannel-1_0.html) to achieve *single sign-out* effect between iframed and parent apps. For instance, if you would like users to automatically logout from iframed apps when they logout from the parent app, you should enable front-channel logout for the iframed apps. To do so, please refer to: [How to configure a front-channel logout URI](./logout.md#front-channel-logout).
+
+## Third-Party Storage Partitioning and the Redirect Bridge
+
+Starting with **Chromium 115+** (Chrome, Edge, and other Chromium-based browsers), [third-party storage partitioning](https://developers.google.com/privacy-sandbox/cookies/storage-partitioning) is enforced. Storage APIs — including `BroadcastChannel`, `localStorage`, `sessionStorage`, `IndexedDB`, `ServiceWorker`, and `SharedWorker` — are partitioned by the **top-level site**, not just by origin. Other browsers are expected to adopt similar partitioning in the future.
+
+The MSAL [redirect bridge](./redirect-bridge.md) uses `BroadcastChannel` to send the authentication response from the popup back to the main application. When your app runs in a cross-origin iframe and opens a popup, the popup becomes its own top-level browsing context — placing it in a **different storage partition** than the iframe. The `BroadcastChannel` message from the redirect bridge never reaches your app, causing the authentication flow to time out with a `timed_out` (`redirect_bridge_timeout`) error.
+
+**Affected flows (BroadcastChannel partition mismatch):**
+- `loginPopup()` / `acquireTokenPopup()` — the popup opens as a new top-level context with a different partition than the iframe
+
+### Recommended solutions
+
+1. **Nested App Authentication (NAA)** — The preferred approach for apps embedded in a host platform that supports the NAA bridge (e.g., Teams, Outlook, Microsoft 365). See [Nested App Configuration](./initialization.md#nested-app-configuration).
+2. **Redirect flow** — Use `loginRedirect()` with `allowRedirectInIframe: true` if the IdP allows rendering in an iframe (for example, Azure AD B2C with embedded sign-in).
+
+For the full technical explanation and code examples, see the [Redirect Bridge — Cross-Origin Iframe Limitation](./redirect-bridge.md#cross-origin-iframe-limitation).
diff --git a/lib/msal-browser/docs/initialization.md b/lib/msal-browser/docs/initialization.md
@@ -56,6 +56,9 @@ Please note the below guidance before opting in for Nested app authentication:
 -   `createNestablePublicClientApplication` will fall back to `createStandardPublicClientApplication` if nested app bridge is unavailable or the Hub is not configured to support nested app authentication.
 -   If an application does not want to be Nested App, it should use `createStandardPublicClientApplication` instead.
 -   Certain account lookup APIs are not supported in NAA apps, please refer to [active accounts](./accounts.md#active-account-apis).
+-   **Cross-origin iframe scenarios:** If your app runs inside a cross-origin iframe, NAA is the **recommended** approach for authentication.
+-   In browsers that enforce [third-party storage partitioning](https://developers.google.com/privacy-sandbox/cookies/storage-partitioning) (Chromium 115+, with other browsers expected to follow), popup flows (`loginPopup`, `acquireTokenPopup`) will fail because the popup opens as its own top-level context, placing it in a different `BroadcastChannel` partition than the iframe — the [redirect bridge's](./redirect-bridge.md) response never arrives. NAA avoids these limitations by delegating authentication to the host application at the top level.
+-   For more details, see [Redirect Bridge — Cross-Origin Iframe Limitation](./redirect-bridge.md#cross-origin-iframe-limitation) and [Using MSAL in iframed apps](./iframe-usage.md).
 
 ## Initializing the PublicClientApplication object
 
diff --git a/lib/msal-browser/docs/redirect-bridge.md b/lib/msal-browser/docs/redirect-bridge.md
@@ -39,6 +39,85 @@ This guide provides framework-specific instructions for setting up the redirect
 > redirect bridge with your application or serve it from your own
 > infrastructure.
 
+## Cross-Origin Iframe Limitation
+
+The redirect bridge relies on the [BroadcastChannel API](https://developer.mozilla.org/en-US/docs/Web/API/BroadcastChannel) to send the authentication response from the popup back to the main application window. Starting with **Chromium 115+** (Chrome, Edge, and other Chromium-based browsers), [third-party storage partitioning](https://developers.google.com/privacy-sandbox/cookies/storage-partitioning) is enforced, which means `BroadcastChannel` is **partitioned by top-level site**, not just by origin. Other browsers are expected to adopt similar partitioning in the future.
+
+This causes **popup-based flows** to fail when your application runs inside a **cross-origin iframe**:
+
+| Context | Top-level site | BroadcastChannel partition |
+|---|---|---|
+| Your app in the iframe | `hostplatform.com` | `hostplatform.com` |
+| Popup opened by the iframe | `yourapp.com` (popup is its own top-level context) | `yourapp.com` |
+
+Although both the iframe and the popup share the same **origin** (`yourapp.com`), the popup is in a **different storage partition**. The redirect bridge sends the response on a `BroadcastChannel` in the popup's partition, but the iframe is listening on a channel in the host platform's partition — the message never arrives, and the authentication flow times out.
+
+> [!IMPORTANT]
+> This is a browser-level constraint — not a bug in MSAL. There is no secure
+> client-side workaround that avoids this partitioning while preserving the
+> security guarantees of the redirect bridge.
+
+### Recommended alternatives for cross-origin iframe scenarios
+
+#### Option 1: Nested App Authentication (recommended)
+
+If the host platform supports it, use [Nested App Authentication (NAA)](./initialization.md#nested-app-configuration).
+With NAA, the iframe delegates authentication entirely to the host application
+via `createNestablePublicClientApplication`. The host authenticates the user at
+the top level (where there are no partitioning issues) and provides tokens to
+the nested app through the NAA bridge. This avoids popup and silent flows from
+within the iframe altogether.
+
+```javascript
+import { createNestablePublicClientApplication } from "@azure/msal-browser";
+
+const pca = await createNestablePublicClientApplication({
+    auth: {
+        clientId: "your-client-id",
+        authority: "https://login.microsoftonline.com/your-tenant-id",
+    },
+});
+```
+
+NAA is supported out of the box by Microsoft host platforms such as **Teams**,
+**Outlook**, and **Microsoft 365**. For custom host platforms, the host must
+implement the [NAA bridge protocol](./initialization.md#nested-app-configuration).
+If the NAA bridge is not available, `createNestablePublicClientApplication`
+automatically falls back to a standard `PublicClientApplication`.
+
+#### Option 2: Redirect flow within the iframe (fallback)
+
+If NAA is not available, use `loginRedirect()` / `acquireTokenRedirect()`
+instead of popup APIs. The redirect flow happens entirely within the iframe's
+browsing context and does not use `BroadcastChannel`, so the redirect bridge
+partition mismatch does not apply. You will need to set
+`system.allowRedirectInIframe: true`:
+
+```javascript
+const msalConfig = {
+    auth: {
+        clientId: "your-client-id",
+        authority: "https://login.microsoftonline.com/your-tenant-id",
+        redirectUri: "/redirect",
+    },
+    system: {
+        allowRedirectInIframe: true,
+    },
+};
+```
+
+> [!NOTE]
+> Redirect flows in iframes require the identity provider to allow rendering in
+> an iframe. **Azure AD / Microsoft Entra ID** will refuse to render interactive
+> prompts (credential entry, consent, etc.) inside an iframe and will return an
+> `X-FRAME-OPTIONS: DENY` error. This means redirect flows in iframes are
+> primarily supported for **Azure AD B2C** with the
+> [embedded sign-in experience](https://docs.microsoft.com/azure/active-directory-b2c/embedded-login),
+> or for non-interactive redirect-in-iframe scenarios where no user interaction is required. This is distinct from MSAL's silent token renewal APIs (`ssoSilent` / `acquireTokenSilent`), which use a hidden iframe with `prompt=none` and are subject to third-party cookie and tracking-prevention restrictions.
+
+For more information on running MSAL in iframes, see
+[Using MSAL in iframed apps](./iframe-usage.md).
+
 ## Angular
 
 1. **Create the redirect bridge component** (`src/app/redirect/redirect.component.ts`):
