Securely embed Flex as an iframe

We are updating our Content Security Policy (CSP) to be restricted to Twilio registered URLs. This also applies to Salesforce and Zendesk integrations.

Our security policy will help guard against cross-site scripting (XSS) and other content injection attacks, such as click-jacking. Instead of blindly trusting everything that a server delivers, we have implemented a policy that lets you add a list of sources of trusted content. Your allowed URL(s) will be added to a CSP header as a valid frame-ancestor, along with a report-uri directive on authenticated Flex requests. This tells your browser to report an error when unregistered URLs are attempting to iframe flex.twilio.com.

---

Embed Flex as an iframe

These instructions only apply to our hosted flex.twilio.com platform.

You can register your domains by accessing the Flex Settings page of your application on Twilio Console.

If you need to add more URL(s) to your Allowed URLs list, review the URL Registration Rules. In order to test the setting, click Save, and refresh your external application.

Expand image

You should be able to log into your Flex application if the external URL has been registered correctly. Note that unauthenticated requests are redirected to the Flex login page.

(warning)

Warning

If you run into issues with embedding Flex as an iFrame, be sure to add your Salesforce lightning URL in the Twilio Console Allowed URLs section for Flex, e.g: https://<SFDCdomain>.lightning.force.com and enable third party cookies in your browser.

(information)

Info

For Flex applications created before March 10th, 2021, we have prepopulated the allowed URLs list for you based on your application activity. Review and confirm that they are the right URL(s).