You need to sign in to do that
Don't have an account?
Tim Doherty
When Critical Update: "Remove Instance Names From URLs for Visualforce" is enabled, Visualforce iFrame page no longer loads.
When we activate the Critical Update: Remove Instance Names From URLs for Visualforce, Community Builder, Site.com Studio, and Content Files within our development environment, a Visualforce page within our package, that only contains an iFram, no longer loads. I've attempted to whitelist the domain for the url we are trying to iFrame, but have not been successful.
To narrow in on the cause, I deactivated the critical update, and found the iFramed page loaded successfully in Salesforce. I activated the Critical Update again, and the iFrame no longer loaded.
Below is our code for the VisualForce page, I swapped in Salesforce.com for testing purposes. Any ideas anyone could offer would be much appreciated!
<apex:page showHeader="true" sidebar="false" tabStyle="iFrame__tab"> <apex:iframe src="https://www.salesforce.com" frameborder="false" height="800px" scrolling="true"/> </apex:page>
To narrow in on the cause, I deactivated the critical update, and found the iFramed page loaded successfully in Salesforce. I activated the Critical Update again, and the iFrame no longer loaded.
Below is our code for the VisualForce page, I swapped in Salesforce.com for testing purposes. Any ideas anyone could offer would be much appreciated!
<apex:page showHeader="true" sidebar="false" tabStyle="iFrame__tab"> <apex:iframe src="https://www.salesforce.com" frameborder="false" height="800px" scrolling="true"/> </apex:page>
Greetings to you!
According to Spring '19 release notes (https://releasenotes.docs.salesforce.com/en-us/spring19/release-notes/rn_vf_external_iframe.htm):
Use iframes to include Visualforce pages on external web pages while enabling clickjack protection. Whitelist the external domains that you trust to bring your Visualforce content outside the Salesforce domain. Previously, it was all or nothing: You could allow iframes of Visualforce pages on all external domains or none at all.
In Setup, search for Session Settings. Under Clickjack Protection, select Enable clickjack protection for customer Visualforce pages either with headers disabled or with standard headers. Both these options allow framing on whitelisted external domains and provide clickjack protection.
Then under Whitelisted Domains for Visualforce Inline Frames, add the trusted external domains where you allow framing.
I hope it helps you.
Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future. It will help to keep this community clean.
Thanks and Regards,
Khan Anas
Remove Instance Names From URLs for Visualforce, Community Builder, Site.com Studio, and Content Files
that the iFramed page stopped loading properly. Deactivating that Critical Update allowed the iFrame page to work again properly.
Thank You!
Tim
clickjack protection for customer Visualforce pages with standard headers
AND clickjack protection for customer Visualforce pages with headers disabled
and saw that the iFramed Visualforce worked as expected, but once I enabled the Critical Update, the iFrame would no longer load. This appears to be decouple from Clickjack.
Thanks!
Tim