<iframe> API Prerequisites

The LoanPASS app disallows <iframe> embedding by default, so any new integration will have to be configured beforehand.

Configuring <iframe> embedding is currently a manual (but pretty quick) process. Reach out to the LoanPASS team to that you want us to turn on <iframe> embedding for your client, and let us know the source that will host the <iframe>. For example, if the LoanPASS app will be embedded on a page at https://app.example.com/integrations/loanpass, then the client will need to be configured with the URI https://app.example.com. See the MDN docs for more details on what kinds of sources are supported.

Security details

The <iframe> API was designed with security in mind, so things are locked down as much as possible. By default, all clients are configured to set the Content-Security-Policy HTTP header to frame-ancestors 'none', which prevents embedding the LoanPASS app within any other page. Each client can be configured with one or more sources to allow embedding the LoanPASS app in an <iframe>, which then allows any page under these sources to embed the LoanPASS app. We strongly encourage our clients to enable HTTPS encryption when embedding the LoanPASS app.

The LoanPASS app then listens for postMessage events to handle communication. This is handled entirely client-side, meaning no extra data needs to be sent between different backends-- the only data that is sent to LoanPASS is the data that would be sent by using the UI directly. Additionally, no data is implicitly sent to any client's backend either: their side of the <iframe> integration will need to be configured to send data to their backend if needed.