Manage PureCloud embedding

Restrict PureCloud Embedding is an optional security setting that prevents external websites from embedding an instance of your PureCloud org in an iframe. It combats “clickjacking,” a malicious technique that redirects a user to a website under the attacker’s control. The malicious website impersonates the victim’s website by embedding it within an iframe element.

Warning: Enabling this feature makes unusable any PureCloud application or integration that embeds PureCloud into an iframe, whose domain does not appear in Allowed Embeddable Domain(s) box.

Configure PureCloud to allow iframes for the legitimate domains with which your organization works. If you do not add these domains, integrations such as PureCloud for Salesforce, PureCloud for Zendesk, PureCloud for Chrome, PureCloud for Firefox, and PureCloud Embeddable Framework will not work. For more information, see Manage PureCloud embedding with the PureCloud embedded clients.

Using deceptively crafted style sheets, iframes, and text boxes, clickjacking makes users think they are interacting with the genuine web application, when they are actually interacting with an invisible iframe controlled by an attacker.

The malicious site monitors actions performed by the user, and may use transparent or opaque layers to trick a user into clicking a button or link that appears to be legitimate. By “hijacking” user clicks, an attacker can route the user to a different page, application, or domain. Keystrokes can be hijacked using similar techniques. A clickjacking victim can inadvertently pass credentials or other information to an attacker.

To restrict PureCloud embedding:

By default, Restrict PureCloud Embedding is not enabled in your PureCloud organization. Before enabling the Restrict PureCloud Embedding setting, add any domains who might legitimately iframe your PureCloud org in the Allowed Embeddable Domain(s) box. If you do not add these domains, then integrations and embedded clients will not work.

  1. Click Admin.
  2. Under Account Settings, click Organization Settings.
  3. Click the Settings tab.
  4. Scroll to the Security & Compliance section.

  5. In the Allowed Embeddable Domain(s) box, add the name of any domains that legitimately iframe your PureCloud org. The table below lists domains that each PureCloud embedded client must be able to access. Use wildcards to include subdomains. Enter each domain entry on its own line. You can add up to 10 domain entries to this list.

    PureCloud embedded client Domain
    PureCloud Embeddable Framework Parent domain.
    PureCloud for Chrome chrome-extension://onbcflemjnkemjpjcpkkpcnephnpjkcb
    PureCloud for Firefox moz-extension://*
    PureCloud for Salesforce *, *
    PureCloud for Zendesk *, *
  6. Enable the Restrict PureCloud Embedding setting and add domains. The system displays a warning to remind that this feature, when enabled, could make integrations and apps unusable if the list of allowed domains is empty or invalid. 

    Warning: Enabling this feature could cause PureCloud integrations, PureCloud apps, and any other application or integration that uses an iframe to load in PureCloud, whose domain is not listed in Allowed Embeddable Domain(s), to be unusable.

  7. Click Save.

    Important: When you enable or disable Restrict PureCloud Embedding, users must log out and log back in to their embedded clients.

Technical Notes

When Restrict PureCloud Embedding is on, PureCloud uses the Content Security Policy (CSP) frame-ancestors directive to restrict which domains can embed an instance of PureCloud using <frame>, <iframe>, <object>, <embed>, or <applet> elements. For a list of compatible browsers, see CSP:frame-ancestors at Mozilla Developer Network web documentation.

When the feature is turned on, users must log out and log in, to obtain a new cookie that applies security headers to HTML requests. When the feature is turned off, the Auth API will delete their cookie at the next login.