From 5daa3053a4234e0d47a9eb9e84bd5ec5e2752904 Mon Sep 17 00:00:00 2001
From: John Reilly <johnny_reilly@hotmail.com>
Date: Fri, 12 Sep 2025 14:18:04 +0100
Subject: [PATCH 1/4] feat: Document user_cancelled error in errors.md

Added documentation for user_cancelled error in errors.md.
---
 lib/msal-browser/docs/errors.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/msal-browser/docs/errors.md b/lib/msal-browser/docs/errors.md
index 70d7305439..7d33adbc33 100644
--- a/lib/msal-browser/docs/errors.md
+++ b/lib/msal-browser/docs/errors.md
@@ -16,6 +16,7 @@
 1. [unable_to_acquire_token_from_native_platform](#unable_to_acquire_token_from_native_platform)
 1. [native_connection_not_established](#native_connection_not_established)
 1. [uninitialized_public_client_application](#uninitialized_public_client_application)
+1. [user_cancelled](#user_cancelled)
 
 **[Other](#other)**
 
@@ -415,6 +416,20 @@ await msalInstance.handleRedirectPromise(); // This will no longer throw this er
 msalInstance.acquireTokenSilent(); // This will also no longer throw this error
 ```
 
+## user_cancelled
+
+**Error Messages**:
+
+-   User cancelled the flow.
+
+This error is thrown when a `loginPopup` or `acquireTokenPopup` are impacted by `Content-Security-Policy` / `X-Frame-Options` / `Cross-Origin-Opener-Policy` headers .
+
+Your `Content-Security-Policy` will likely need to look similar to the below:
+
+`default-src 'self'; script-src 'self'; connect-src 'self' https://login.microsoftonline.com; frame-ancestors 'self'; img-src 'self' data:; style-src 'self'`
+
+Notice the presence of `https://login.microsoftonline.com` which allows the token to be passed. 
+
 ## Other
 
 Errors not thrown by MSAL, such as server or cache errors.

From bb5925f4e0f8a26117a09ec2de4dfdd94e01fe68 Mon Sep 17 00:00:00 2001
From: John Reilly <johnny_reilly@hotmail.com>
Date: Fri, 12 Sep 2025 14:25:02 +0100
Subject: [PATCH 2/4] feat: Update errors.md with security header
 recommendations

---
 lib/msal-browser/docs/errors.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/msal-browser/docs/errors.md b/lib/msal-browser/docs/errors.md
index 7d33adbc33..b00a1b8b24 100644
--- a/lib/msal-browser/docs/errors.md
+++ b/lib/msal-browser/docs/errors.md
@@ -430,6 +430,8 @@ Your `Content-Security-Policy` will likely need to look similar to the below:
 
 Notice the presence of `https://login.microsoftonline.com` which allows the token to be passed. 
 
+You may want to consider amending `Cross-Origin-Opener-Policy` to `same-origin-allow-popups` if you use that header.  You may want to consider using `X-Frame-Options` of `SAMEORIGIN` if you use that header.
+
 ## Other
 
 Errors not thrown by MSAL, such as server or cache errors.

From eec920eeeee99c41a01eb4c048d8efc3b2cea2b3 Mon Sep 17 00:00:00 2001
From: John Reilly <johnny_reilly@hotmail.com>
Date: Fri, 12 Sep 2025 14:25:27 +0100
Subject: [PATCH 3/4] Update lib/msal-browser/docs/errors.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 lib/msal-browser/docs/errors.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msal-browser/docs/errors.md b/lib/msal-browser/docs/errors.md
index b00a1b8b24..7e11877fd6 100644
--- a/lib/msal-browser/docs/errors.md
+++ b/lib/msal-browser/docs/errors.md
@@ -422,7 +422,7 @@ msalInstance.acquireTokenSilent(); // This will also no longer throw this error
 
 -   User cancelled the flow.
 
-This error is thrown when a `loginPopup` or `acquireTokenPopup` are impacted by `Content-Security-Policy` / `X-Frame-Options` / `Cross-Origin-Opener-Policy` headers .
+This error is thrown when a `loginPopup` or `acquireTokenPopup` are impacted by `Content-Security-Policy` / `X-Frame-Options` / `Cross-Origin-Opener-Policy` headers.
 
 Your `Content-Security-Policy` will likely need to look similar to the below:
 

From 034e9ac4a10c05f2a2e00bb2fcb7a8683aaa8861 Mon Sep 17 00:00:00 2001
From: John Reilly <johnny_reilly@hotmail.com>
Date: Fri, 12 Sep 2025 14:25:37 +0100
Subject: [PATCH 4/4] Update lib/msal-browser/docs/errors.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 lib/msal-browser/docs/errors.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msal-browser/docs/errors.md b/lib/msal-browser/docs/errors.md
index 7e11877fd6..2b0fd1c93f 100644
--- a/lib/msal-browser/docs/errors.md
+++ b/lib/msal-browser/docs/errors.md
@@ -428,7 +428,7 @@ Your `Content-Security-Policy` will likely need to look similar to the below:
 
 `default-src 'self'; script-src 'self'; connect-src 'self' https://login.microsoftonline.com; frame-ancestors 'self'; img-src 'self' data:; style-src 'self'`
 
-Notice the presence of `https://login.microsoftonline.com` which allows the token to be passed. 
+Notice the presence of `https://login.microsoftonline.com`, which allows the token to be passed. 
 
 You may want to consider amending `Cross-Origin-Opener-Policy` to `same-origin-allow-popups` if you use that header.  You may want to consider using `X-Frame-Options` of `SAMEORIGIN` if you use that header.