function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
jhartjhart 

Critical bug in IE: scripting in Visualforce broken unless subdomain added to Trusted Sites list

We use Visualforce pages both at the top-level (their own page) and embedded as <page> elements in standard objects' page layouts.

These pages no longer work in IE if their Visualforce subdomain has been added to IE's "Trusted Sites" list.  We think the breakage occurred last night, but it's hard to say because we don't do browser testing every day just to see if something broke last night.  Maybe we should.



However, for top-level pages, no such message is displayed to the end-user.  Instead, the page loads and displays just fine, but the discerning eye notices that a javascript error is thrown on page load.  Clicking on IE's little "javascript error" icon on the bottom left brings up this dialog:



Viewing source, we see that line 5 is the UserContext.initialize call:

Code:
4  <script  type="text/javascript">window.sfdcPage = new GenericSfdcPage();
5  UserContext.initialize(....

 
This bug has serious downstream consequences, because actionFunction and actionSupport methods are broken.  If I click on link that calls an actionFunction, my UI just hangs in its "loading/throbber" state but I can again click that little javascript error icon on the bottom left and see this error:



Only by adding my subdomain (i.na5.visual.force.com) to IE's "Trusted Sites" list fixes these problem.  However, for the top-level pages, the user has no way of knowing to do this.  Instead, they just think that our app is broken.

As best as my testing recalls, all of this worked fine last week.

It all still works fine in Firefox 3 (of course, per this post, Salesforce does not officialy support Firefox 3)


jhartjhart
I have opened support case 02231367 to track this issue.
dchasmandchasman
I tracked down the recent change that introduced this - the design intent was to to only impact inline pages AFAIK but it appears that this is not the case. The change is very specific to IE and will not impact any other browser. My team is looking into this now.
jhartjhart
Thanks Doug.

We're trying to decide if we should be delaying fresh installs until this issue is resolved.

Can you shed a light on the expected behavior?

My guess is:

a.  Top-level visualforce pages will "just work"

b.  Inline visualforce pages will require IE users to "always enable session cookies" or to add the package subdomain (or "https://*.force.com") to their Trusted Sites list.

thanks,
john
jhartjhart

This bug actually strikes other browsers, too.

If I have my browser set to reject 3rd party cookies (which I do), then hyperlinks in my embedded <page> elements lead to infinite loops.

See this discussion board post.
gjsgjs
Salesforce does not believe this is a regression in the latest patch. We figured this out for IE7 with John's help. Essentailly it has to do with Security level Settings for the "Internet" zone. He was using custom settings for this zone which were causing the issue for him. Making security level "Medium High" for Internet zone removed the JS error for John. We were able to reproduce in IE7 on my VM by making the level "High" and then enabling "Active scripting".
jhartjhart
Note that Microsoft's own security patches change the "Internet" zone settings away from "Medium-High" to a custom level that is tighter.

My colleague who discovered the issue has never touched his security settings - he doesn't even know where they are.  But the bug happens to him, because he has "automatic updates" turned on and was fully patched.

Salesforce's QA did not have fully patched IE, so did not discover this bug.

Given IE's market share, plus having "automatic updates" turned on by default in Windows, I suspect this bug effects at least 35% of Salesforce's customers.
gjsgjs
John, we have tested clean installs from Microsoft. The default security for sites on IE7 is Medium-High and on IE6 it is Medium. Visualforce pages served from force.com work with these default settings. However, we realize that separate domains may inconvenience partners and customers. It is the price we pay to mitigate against cross site scripting attacks. We are looking at ways to improve error handling such that we can suggest that the user compare their browser security options with what is needed.
jhartjhart
Thanks GJS.

One of my colleagues was also unable to replicate until he enabled automatic updates and got his IE up to a "fully patched" state.  Your testing refers to "clean installs" - are they also fully patched via automatic updates?
jhartjhart
GJS,

I'd be happy to learn that this only strikes me and my colleagues, as opposed to all of our clients =).

But I'm not sure that's the case.

Also related to 3rd party cookies / trusted sites is this discussion thread.

I just posted on that thread a link to a video showing Firefox 3 going into an infinite loop if it's not set to accept 3rd party cookies (which I, at least, prefer to reject).  Chrome and IE have a similar behavior if configured similarly.

I think there's a larger issue of how the new subdomain handling, which prevents the theoretical attack vector of client-side javascript from one app snooping on another, was implemented without P3P headers and thus has led to a few hard-to-track-down bugs relating to browsers and how they handle 3rd party cookies.

It seems like partner apps are getting a rough ride from this subdomain handling, as our customers will call and complain to *us* instead of *you* when our apps don't work.

Any prospect of getting P3P headers set?  That should help with IE, at least, if not the others...

A comprehensive guide to partners about the subdomains, with "this are the problems that might occur, and these are the browser settings that avoid them" would be very helpful.  We shouldn't have to generate this ourselves.


Message Edited by jhart on 11-12-2008 04:31 PM

Message Edited by jhart on 11-12-2008 04:32 PM
gjsgjs

We are looking into deploying P3P. But whilst it is technically easy, there are a number of legal issues. P3P is a "good faith" protocol with different ramifications across the globe, depending on the internet privacy laws of the user's country. We'll keep you posted.

aballardaballard

P3P headers do not really solve the problem.   With IE default privacy settings, if a P3P header is set, then the browser will accept a third party cookie.   So we'd like to set such a header, if the legal issues can be resolved, to simplify usage for default IE browser settings. 

But with both IE and FF, if you have explicitly turned off 3rd party cookies,  the P3P header does not help any. 

(FF3 seems to have no equivalent of the default IE "accept 3rd party cookies for pages that have a P3P header").

 

 

 
KlebKleb
Is there any additional status on this issue?
In our case we have an S-control bringing up a VisualForce page in an IFRAME.
The S-Control comes from salesforce.com, and the IFRAME is served from force.com.
So the browsers cross-domain attack logic kicks in, as it should.
 
Users must explicitly enter https://*.force.com into their trusted sites list, which is a pain in the you-know-what. It's worse because
there is no error message that explains to them what the problem is, and they don't even see the force.com address in their browser
address bar. So a tech support call is the result.
 
[ Editorial comment: This is yet another example of the mess caused by creating the new force.com domain. ]
 
I'm hoping you have something additional to say about this one, because I can't see any way around this, other than to explictly trust the
force.com domain, or salesforce.com aliasing force.com sites back to salesforce.com sites.
 
 
jhartjhart
I'm not sure *.force.com is accepted by all browsers - you might need to go all the way to *.na5.visual.force.com as browsers may not allow "*" to glob across mutliple domain parts.

See this video from this post about a related bug.
KlebKleb
Yes, I've got that one in my pocket if I have to. Makes it even worse because you've got to figure out which server you're on. This wildcard seems to work for IE7 though. And the problem doesn't appear in Firefox (and I'm curious as to why).
jhartjhart
Kleb,

Similar issues do strike FFox & Chrome if they are set to ignore 3rd party cookies.

See this post for a particularly nasty example (there's a video there too).

I've been pushing on Salesforce for a better resolution to all of these issues, but so far the primary response is "this only happens if you customize your IE settings or set them to 'high', so don't do that."

If anyone is running into these issues, please chime in.  I don't think that anyone (including salesforce) knows how widespread this issue is / isn't, so the more info the better.
michaelforcemichaelforce

Kleb... did you get any response yet on your iframe cross-browser problems?  I had some slick resizing functions set up for a homepage component that displays a vf page...  worked in sandbox (where the domains are the same... perhaps until i do a refresh)... upon moving it to production, i got a nice surprise.

 

I liked the /apex/mypagename URL scheme... so far I have not dug up any good reasoning behind the seperate domain...

 

buller? buller?
dchasmandchasman

The move to separate domains has one very specific purpose: leverage the browser security model (same domain policy) to protect our customers and the salesforce.com service from cross site scripting and cross site request forgery attacks.

 

Moving to the serving pages from separate domains is a critical component of our ongoing commitment to insure the highest level of security and availability for everyone.

Message Edited by dchasman on 02-07-2009 09:33 AM
AJK-1972AJK-1972

I understand what salesforce.com was trying to do here and security needs to

be taken seriously but in this particular case  I believe that

salesforce.com was wrong.

 

The ASP model is successful because customers do not have to deal with an IT

burden and can be priced linearly with users added.  Because of that

salesforce.com has attracted customers of all shapes and sizes.  We work

with Fortune 500 all the way down to grandmothers working at non-profits,

even a singer managing his fans. 

  

This means that the technical knowledge of many of salesforce.com customers

is near zero and no IT resource is either available or tasked with helping

maintain Salesforce.  This leads to a very practical problem.

 

Practically speaking, no one knows what is going on when this error occurs

and they either uninstall the app or call in for support.  I have seen cases

where customers have struggled with this for weeks before having an

incidental conversation with us that leads to the simple but hidden fix.

This is a crippling problem from both a usability standpoint and also a

support cost standpoint.  Also, I have to say, convincing a non-technical

person to add a domain to a trusted site list is not always received well.

  

Also, isn't this a bandaid over the bigger issue?.  If an app wants to harm

a customer, there are far easier ways than cross-frame scripting ... once an

app is installed, it has access to all kinds of objects and data, and this

is a much bigger attack risk than installing a visualforce page, getting the

customer to embed it in their page layout, and then cross-frame scripting to

pull data out of the surrounding page.  I feel like we have made the

AppExchange much harder to use with little improvement in security.

 

If the intent here is to reduce the risk of a partner doing something really

bad, then Salesforce needs to do line-by-line reviews of all partner code.

Preventing partner apps from doing cross-frame  scripting attacks does not

solve any problem.  It just switches the problem to another, much easier

attack vector that a malicious actor would have chosen anyway.

 

Finally, the burden of security issues should be born by salesforce.com and

the partner when at all possible - not by the customer.

 

We shouldn't need to have 1.5 million people tweaking their security

settings to make the AppExchange work.

Message Edited by AJK-1972 on 02-11-2009 05:03 PM
KlebKleb
michaelforce, as far as I can tell, there is no solution. I must explicitly trust the VisualForce domain associated with the installed package. The move to separate domains, while understandable, essentially breaks pre-existing functionality. It also happened long after VisualForce itself was released to the development community. The only way I can see of dealing with this is to eliminate my s-controls and go completely VisualForce. Hopefully I will not run into any functionality gaps with the VF technology as I do that. What's really annoying is that we've spent $5000 and over a weeks time going through the salesforce.com security audit for this application. They *have* seen the source code. You would think that a certified application wouldn't have to endure this problem (sarcasm deliberate). AJK-1972 has also written a particularly cogent response below.
michaelforcemichaelforce

I had embedded a Visualforce page inside a homepage component... and even after i stripped any cross-domain scripting away... many users were simply unable to load the page... it would freeze up in certain versions of IE.  So, the problem is even deeper than the "clever resizing" functions i mentioned before... iframe displaying a different domain causes a variety of problems.

 

I agree with AJK-1972, as a developer, If i were asked to I could come up with many easier ways to create malicious apps that would not include cross-domain scripting.

 

It was a sad and frustrating moment when I had to announce that the go-live of the new homepage component would be delayed a week or two as I would have to transition from Visualforce to an S-Control.