I'd like to use an iframe to support the use of cognito via the provided hosted UI.
This enables several use cases:
Allows for SPAs to display the login page without losing the context of the host page
Allows for applications to extend the refresh token without requiring a navigation to cognito's hosted UI
This could be done securely by Cognito by enabling the configuration of the frame-ancestors CSP directive. Is this on the roadmap?
Alternatively, could I place a proxy in front of the hosted cognito UI adding in the required CSP directives? I tried this however the cookies are not set as expected. I noticed the hosted UI is multi-domain and retrieves resources from cloudfront - perhaps that is causing issues?