Deployment checklist

When integrating with Financial Connections on the web, refer to this checklist to ensure your users can use the authentication flow without issue.

• Check the Cross-Origin-Opener-Policy response header

  Configure the page that launches the authentication flow so that the Cross-Origin-Opener-Policy response header is same-origin-allow-popups, restrict-properties, or unsafe-none. Using a restrictive value such as same-origin might interfere with OAuth bank login flows. If your page doesn’t set a Cross-Origin-Opener-Policy header, it defaults to unsafe-none.

• Check the Referrer-Policy response header

  Configure the page that launches the authentication flow with a referrer policy that sends a Referer header to other origins. Either don’t send a Referrer-Policy response header or use a value such as origin, origin-when-cross-origin, strict-origin, or strict-origin-when-cross-origin. Using no-referrer suppresses the Referer header and might interfere with OAuth bank login flows.

  If your page contains a <meta name="referer" /> tag, set its content value to one of origin, origin-when-cross-origin, strict-origin, or strict-origin-when-cross-origin.

• Check any iframe sandbox properties

  If the page that launches the authentication flow is displayed inside an iframe, include allow-popups-to-escape-sandbox in the sandbox property. Some OAuth flows don’t work inside a sandboxed iframe, so using a more restrictive allow-popups value breaks them. See the MDN iframe documentation for a full description of these values.

• Test your integration in a sandbox

  Before enabling live traffic, test your integration using a sandbox. Use each of the Test (OAuth), Test (Non-OAuth), Bank (OAuth), and Bank (Non-OAuth) institutions to link accounts.