+ Start a Discussion

Critical Update: Enable clickjack protection

I am reviewing a Critical Update. Here is the Update Summary:
This update enables clickjack protection for all non-setup Salesforce pages. If you use <iframe> elements to frame pages from a non-Salesforce domain, this update will impact your organization.


We DO have VisualForce pages which <iframe> pages from our homegrown applications. So I was reluctant to ACTIVATE this Update. Instead, I figured I'd try to Activate it in our sandbox just to see what would happen to our <iframe>s. Much to my surprise, nothing happened. Our iframes continued to load with no problem. 


Can anybody explain why Salesforce says, "this update will impact your organization" and yet my organization is not impacted? Do I have to wait a day or two the the Update to take effect? Are there exceptions to the rule? Does it maybe work on some browsers but not others? 


This is a very poorly explained Critical Update considering  it could potentially  disable my entire production Org if I overlooked something.






Steven LawranceSteven Lawrance
Framing other sites' pages from a Visualforce page should be fine as long as those other sites' pages aren't preventing themselves from being framed by the Visualforce pages.

It's the other direction that is being affected by this change, and it's specifically for pages that are built into the Salesforce platform and not customer-created or package-installed Visualforce pages. If your homegrown applications frame a Visualforce page, then that should be fine as long as the "Enable clickjack protection for non-setup customer Visualforce pages" session setting is off. The "Enable clickjack protection for non-setup Salesforce pages" preference does not affect the framing of Visualforce pages in either direction, though there is a known issue where a Visualforce page rendered when an unhandled exception in the Apex controller occurs may look at the "Enable clickjack protection for non-setup Salesforce pages" session setting instead of the "Enable clickjack protection for non-setup customer Visualforce pages" session setting. In your use case, where a Visualforce page is framing homegrown applications, that issue won't apply as it's the framabilities of the Salesforce.com-served pages that are affected by these session settings.