Menu

Securely embed Flex as an iframe

Starting March 3rd, 2021, all new Flex applications are required to register their valid URLs under Twilio Flex's Allowed URLs list in order to embed Flex as an iframe. Existing Flex applications have until May 3, 2021 to confirm their registered URLs.

We are updating our Content Security Policy (CSP) to be restricted to Twilio registered URLs. This also applies to Salesforce and Zendesk integrations.

Our security policy will help guard against cross-site scripting (XSS) and other content injection attacks, such as click-jacking. Instead of blindly trusting everything that a server delivers, we have implemented a policy that lets you add a list of sources of trusted content. Your allowed URL(s) will be added to a CSP header as a valid frame-ancestor, along with a report-uri directive on authenticated Flex requests. This tells your browser to report an error when unregistered URLs are attempting to iframe flex.twilio.com.

Embed Flex as an iframe

These instructions only apply to our hosted flex.twilio.com platform.

New Flex applications

This is enabled by default for all new Flex applications. If you need to add more URL(s) to your Allowed URLs list, review the URL Registration Rules.

new-flex-csp.png

Existing Flex applications

We have prepopulated the allowed URLs list for you based on your application activity. Review and confirm that they are the right URL(s). In order to test the policy on your account, toggle "Enable CSP", click Save, and refresh your external application.

existing-flex-csp.png

You should be able to log into your Flex application if the external URL has been registered correctly. Note that unauthenticated requests are redirected to the Flex login page.

Keep in mind that the ability to enable and disable CSP via the toggle is available to all pre-existing Flex applications until the day the policy is enforced.

URL Registration Rules

When adding your Allowed URL(s) list, keep the following rules in mind:

http://contactcenter.example.com

https://contactcenter.example.com

http://localhost:8000

Full URLs are required, without any trailing slashes. For local development, register localhost:<port> prefixed by http or https depending on your configuration.
*.example.com Wildcards are not supported
https://example.com/supportpage URL paths are not supported
Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.

Thank you for your feedback!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

Sending your feedback...
🎉 Thank you for your feedback!
Something went wrong. Please try again.

Thanks for your feedback!

Refer us and get $10 in 3 simple steps!

Step 1

Get link

Get a free personal referral link here

Step 2

Give $10

Your user signs up and upgrade using link

Step 3

Get $10

1,250 free SMSes
OR 1,000 free voice mins
OR 12,000 chats
OR more