Documentation
Learn more about ByAllAccounts

4. Configure Headers for Framing and OAuth

The Account Linking and Account Summary components are embedded into your parent page as iframes, with one of them (Account Linking) opening a popup for OAuth-based financial institution authentication. Both behaviors require specific HTTP response headers on your parent application:

  • Content Security Policy (CSP) controls which domains are allowed to frame the components.
  • Cross-Origin-Opener-Policy (COOP) controls whether the OAuth popup can communicate back to the parent page.

Content Security Policy (CSP)

The components use a CSP that restricts which domains can frame them. Your parent page domain(s) must be configured as allowed in this CSP.

🔧

Your ByAllAccounts Implementation Manager will configure your parent page domain(s) as allowed in the CSP. No action required from you beyond providing your domain(s).

Cross-Origin-Opener-Policy (COOP)

When a user links accounts at a financial institution that uses OAuth, the Account Linking component opens a popup to that institution's login page. If your COOP setting is too restrictive, the popup loads but cannot communicate back to your parent page, and the user cannot complete linking.

Set your parent application's COOP response header to one of:

  • same-origin-allow-popups (recommended)
  • unsafe-none (the browser default — also compatible)

Any other COOP value may prevent the OAuth flow from functioning properly.

👍

Success Criteria

  • Your parent page domain(s) are configured as allowed in the components' CSP (handled by your Implementation Manager)
  • Your parent application's COOP response header is set to same-origin-allow-popups or unsafe-none

Updated about 2 hours ago