The default value of the Content Security Policy (CSP) header prevents Keycloak pages from being included in non-origin iframes. So, it prevents our widget from being used in external sites.
Assuming that the client itself is properly configured security-wise, is such a restrictive CSP really required? We are unable to figure out what it is protecting against but guess that there must be a good reason for it.
How are widgets for external sites that authenticate with Keycloak protected?