function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Dave HummDave Humm 

xss error with community users

I am embedding a Visualforce page from a managed package into a Lightning Component using an iFrame. This is throwing an XSS error when a community user attempts to access the page.

I have replaced the actual domain name with clientdomain for customer confidentiality.
Refused to display 'https://clientdomain--flex.cs82.my.salesforce.com/?ec=302&startURL=%2Fvisual…land--flex--b25.cs82.visual.force.com%252Fapex%252Fb25__lightning_calendar' in a frame because it set 'X-Frame-Options' to 'DENY'.

In the Lighting component I have got the URL hardcoded as
https://clientdomain--flex--b25.cs82.visual.force.com/apex/lightning_calendar"



The community users are logging into a site with the domain as
https://flex-clientdomain.cs82.force.com
If I can replace the hardcoding of the domain in the Lightning component I suspect this may fix the problem as the user is not authenticated to SF on that domain, but when I have tried using a string like
/visual.force.com/apex/lightning_calendar
or
/apex/lighting_calendar

It throws an error with Invalid page where the component is embedded in a community page.