As a prefix, I realize that security, particularly as it pertains to iframes, is aspirational, but I'm exploring strategies for how can I (relatively) secure an iframe in another document.
If it helps for context, I'm trying to embed a user-specific page inside of Notion.
I have an application that a user authenticates with. When they authenticate, they have an option to embed a page that is specific to their account with a unique URL. The host page and the embedded page are on different domains. Although the user is authenticated with my application, the embedded page doesn't have the ability to carry over any of the session information.
Right now, it's secure insofar as the URL is unique to the user, but if anybody else has the URL they can view the contents. What strategies can I use to prevent unauthorized parties from opening and viewing the page? Ideally, somehow, the embedded page could be hydrated with the authenticated session. Another idea I had was to require a key/password on initial load that then gets stored in local storage. I'm aware of Content Security Policy, but from my understanding, that only prevents non-whitelisted domains from hosting the frame.
Additional context for my use case: I have a public Notion integration that is using the Notion authentication to get access tokens which is used for calling the Notion API to embed the page, but this doesn't really help in security of the contents of the embedded page.
Any tips or techniques you all could suggest?