+ Start a Discussion
Daniel MoerlandDaniel Moerland 

Security Review with Canvas App and XFrame-Options

I just wanted to reach out and see if anyone had experience with creating a Canvas App displaying their external Web Application in Salesforce. If so, when going through the security review what did you do/not do regarding the X-Frame-Options Headers. Given that the Canvas App will be in an IFrame in another origin, how do you resolve security violations of not including the X-Frame-Options header in your Web Application . The possible values are Deny or Allow Same Origin, both of which won't work unless I'm missing something.
AnudeepAnudeep (Salesforce Developers) 
X-Frame-Options header can be set to one of three values:

DENY — Prevents the page from loading in a frame completely.
SAMEORIGIN — Allows framing only if the origin is the same as the content (for example, Salesforce.com versus evilsite.com).
ALLOW-FROM — Enables framing only from a specific URL.

If the third party/external web application does not set X-frame-options to Allow. The server that gives the response clearly sets X-frame-options to Deny. We don't have much control. See this example

I have seen people using Ignore X frame header extension to get things working

While Canvas is an excellent solution to show iFrame content without disabling clickjack protection, It is important to note that, the Salesforce side just needs to host the IFRAME with the Web App and do the initial post. That is all Salesforce would do.

Lora BrownLora Brown
Creating a canvas app displaying their external web application in Salesforce is a really informative post, I am here with great hope. My https://do-my-assignment.com/term-paper-writing-service-australia/ assignment submission time is running out and I need quality content on some topics so could you please help me with this? Thank you so much in advance.