Back to Docusign.com
Hi everyone,
We’re experiencing an issue with the embedded signing flow that recently started occurring (it was working fine until last week).
We’re following the official guide for creating a focused signing view:
👉 https://developers.docusign.com/docs/esign-rest-api/how-to/request-signature-focused-view/
Our backend uses docusign-esign@^8.5.0 to generate the signing URL.
We include the following domains in our FRAME_ANCESTORS directive:
https://our-domain.com
https://demo.docusign.net
https://apps-d.docusign.com
The generated signing URL opens correctly in a separate browser tab.
However, when embedding it inside an <iframe>, the frame fails to load and the browser shows a CSP violation error:
Content Security Policy of your site blocks some resources Some resources are blocked because their origin is not listed in your site's CSP. ... Resource Status Directive Source location https://apps.dev.docusign.net/.../1ds-bundle.js.map blocked connect-src (unknown) https://apps-d.docusign.com/ blocked frame-ancestors (unknown)
If we open the same page in Incognito mode with third-party cookies blocked, the frame loads and works correctly.
This issue started happening around last week, without any changes on our side.
Has anyone else encountered this behavior or knows if there were any recent changes in DocuSign’s embedded signing CSP or cookie handling?
Thanks in advance!
