"X-Frame-Options to SAMEORIGIN" with Oauth2 authorization in Box.com API

Question

Until today I was able to make request from authorization code inside an iFrame in my webApp. But from today I get the follow error:

Refused to display 'https://app.box.com/api/oauth2/authorize?response_type=code&client_id=vdjlo1qw0234qbik69npfbvftl5m3d5' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Is the API changed today?

Answer 1

This may have to do with the recent security vulnerability which was discovered on both dropbox and box.com.

In short, the vulnerability allowed share links to be viewed outside of the interface. Restricting includes to same origin would prevent that.

In essence, this restriction means in order to embed the content in an iframe, the iframe's parent frame must be served from the same domain.