Prevent Acrobat Sign from being embedded in third-party websites

Protect your embedded signing experience from clickjacking threats using API-based framing controls.

Clickjacking is a type of attack in which a malicious site tricks a user into clicking something different from what they perceive, potentially hijacking actions like agreement approval or signing.

This clickjacking defense feature prevents this harmful activity by controlling when and how Acrobat Sign pages can be embedded in an iframe, ensuring only trusted domains can do it, and only under controlled conditions.

Activating clickjacking defense protects users while allowing approved workflows to function smoothly.

Configuration

Availability:

  • Acrobat Standard and Acrobat Pro: Not Configurable
  • Acrobat Sign Solutions: Supported; Disabled by default
  • Acrobat Sign for Government: Supported; Enabled by default

Configuration scope:

Administrators can enable this feature at the account and group levels.

Access this feature by navigating the administrator's configuration menu to Security Settings > Prevent Adobe Acrobat Sign from being embedded in third-party websites

The Security Settings Admin page highlighting the "Prevent Adobe Acrobat Sign from being embedded in third-party websites" controls.

How it's used

When clickjacking defense is enabled, Acrobat Sign only allows iframe embedding when:

  • The integration uses the REST API v5 or later
  • The autoLoginUser flag is set to true in the API request
  • A frameParent domain is provided in the request via the commonViewConfiguration object
{
    "commonViewConfiguration": {
    "autoLoginUser": true,
    "frameParent": "yourdomain.com"
    }
}

Best practices

This feature is recommended for all customers, particularly for those customers who aren’t embedding Acrobat Sign pages in an iframe.

If you're framing Acrobat Sign in any external application, this helps maintain security while preserving your integration workflow. For example:

  • Embedding signing or management views in a custom web application.
  • Using the auto-login flow for a smooth signer experience within your domain.
  • Ensuring users can only interact with documents from your authorized iframe context.

Customers should only disable this feature if they have an integration that does not define the frameParent parameter in the API call.

Things to know

  • Clickjacking defense applies to all views of the web page, but SOAP and legacy REST integrations don’t allow Acrobat Sign to be embedded.
  • Browser support varies: Some older browsers (like Internet Explorer) don't support CSP frame ancestors. X-Frame Options is also enforced.

Troubleshooting

If you are having difficulties getting your iframe to display with clickjacking defense enabled:

  • Ensure you are using REST API v5 or later.
  • Ensure your /views API calls include the frameParent parameter.

Adobe, Inc.

Obțineți ajutor mai rapid și mai ușor

Utilizator nou?