Version: 1.7.3

Frame Ancestor

When embedding the TaxBandits W-9/W-8 Drop-In UI in your application, you must explicitly allow the parent domains that are permitted to host the embedded form. This is enforced using the Content Security Policy (CSP) frame-ancestors directive. If the domain loading the Drop-In UI is not included in the allowed list, the browser will block the embedded form from rendering.

Why this matters

The frame-ancestors directive helps protect the Drop-In UI from being embedded by unauthorized websites. This is an important security control that limits where the TaxBandits form can be loaded and helps prevent misuse, such as unauthorized framing or clickjacking.

How it works in TaxBandits Drop-In UI

In the TaxBandits Drop-In flow, allowed parent origins are defined when the transient token is generated. That token is then used to load the Drop-In UI. The embedded form checks the requesting domain against the allowed origins configured for that token. If the domain is not authorized, the form will not load.

Configuration flow

1. Specify allowed origins when requesting the transient token

When generating the transient token, provide the origin domains that are allowed to embed the Drop-In UI.

These should be the exact domains where your application hosts the embedded form, such as:

https://app.example.com
https://vendors.example.com

Only the origins included at this step will be allowed to render the Drop-In UI.

2. Use the transient token to load the Drop-In UI

After the transient token is created, pass it when loading the TaxBandits Drop-In SDK / embedded experience. The iframe response will include the CSP policy associated with the allowed origins configured for that token.

3. Browser validates the parent domain

When the iframe is rendered, the browser evaluates the frame-ancestors policy. If the current parent domain matches one of the allowed origins, the Drop-In UI loads successfully. If it does not match, the browser blocks the content.

Token validity

The transient token must be used within 15 minutes of being issued. Once the URL is requested within that window, the resulting iframe URL remains valid for one day with the associated frame-ancestors policy in effect. After that, access is restricted, and a new transient token must be generated.

Important implementation notes

Define all production and test domains that may host the Drop-In UI.
Use fully qualified origins, including protocol.
If no allowed origins are specified, the Drop-In UI will not load.
If your application is embedded across multiple subdomains, each required origin should be included explicitly unless your implementation supports a broader approved pattern.

Common failure scenario

If your team successfully generates a transient token but the Drop-In UI does not render in the iframe, the most likely cause is that the current parent domain is not included in the allowed origins configured for that token. In that case, generate a new transient token with the correct origin list and retry. This is an implementation inference based on how the documented CSP enforcement works.

W-9/W-8 Automation

1099 Automation

TIN Matching

W-2 Automation

941/940 Automation

1098-T Automation

ACA Automation

Extension Automation

1042-S Automation

Supported Forms

Gig Software

Payroll Software

Affiliate Software

HOA Software

Reselling Platform

HCM Providers

Property Management

Healthcare Market Research Platforms

Frame Ancestor

Why this matters​

How it works in TaxBandits Drop-In UI​

Configuration flow​

1. Specify allowed origins when requesting the transient token​

2. Use the transient token to load the Drop-In UI​

3. Browser validates the parent domain​

Token validity​

Important implementation notes​

Common failure scenario​