You need to sign in to do that
Don't have an account?
Daniel Moerland
Security Review with Canvas App and XFrame-Options
I just wanted to reach out and see if anyone had experience with creating a Canvas App displaying their external Web Application in Salesforce. If so, when going through the security review what did you do/not do regarding the X-Frame-Options Headers. Given that the Canvas App will be in an IFrame in another origin, how do you resolve security violations of not including the X-Frame-Options header in your Web Application . The possible values are Deny or Allow Same Origin, both of which won't work unless I'm missing something.
DENY — Prevents the page from loading in a frame completely.
SAMEORIGIN — Allows framing only if the origin is the same as the content (for example, Salesforce.com versus evilsite.com).
ALLOW-FROM — Enables framing only from a specific URL.
If the third party/external web application does not set X-frame-options to Allow. The server that gives the response clearly sets X-frame-options to Deny. We don't have much control. See this example
I have seen people using Ignore X frame header extension to get things working
While Canvas is an excellent solution to show iFrame content without disabling clickjack protection, It is important to note that, the Salesforce side just needs to host the IFRAME with the Web App and do the initial post. That is all Salesforce would do.