Apex Code Development You need to sign in to do that
Don't have an account?
Paul Mann iFrame Issue
I'm working on a force.com sites page and just got the italicized message below from our web developers. I've had SFDC disable clickjack protections but it didn't work; should I ask them to allow a higher trust setting? Any other advice? Thanks!
The "X-Frame-Options" header needs to be set on the page being embedded in the iFrame (not the calling/parent page), which would be the page being delivered from the "rocketshiphr.force.com" domain.
"X-Frame-Options" is used on pages to control if, and when, a page can be displayed in an iFrame. Currently, the page coming from "rocketshiphr.force.com" has this set to "SAMEORIGIN", which is why this is not working. Whoever is responsible for "rocketshiphr.force.com" will need to remove the "X-Frame-Options" header completely. The "ALLOW-FROM" option is not fully supported across all browsers, so it is not recommended to use that method.
You will need to contact "force.com" about this matter as there is nothing we can do on our end to have this work. If "force.com" cannot do this, then the only other option you have is to provide a link on that page that points to the URL you are trying to embed in the iFrame.
The "X-Frame-Options" header needs to be set on the page being embedded in the iFrame (not the calling/parent page), which would be the page being delivered from the "rocketshiphr.force.com" domain.
"X-Frame-Options" is used on pages to control if, and when, a page can be displayed in an iFrame. Currently, the page coming from "rocketshiphr.force.com" has this set to "SAMEORIGIN", which is why this is not working. Whoever is responsible for "rocketshiphr.force.com" will need to remove the "X-Frame-Options" header completely. The "ALLOW-FROM" option is not fully supported across all browsers, so it is not recommended to use that method.
You will need to contact "force.com" about this matter as there is nothing we can do on our end to have this work. If "force.com" cannot do this, then the only other option you have is to provide a link on that page that points to the URL you are trying to embed in the iFrame.
If you go to the Site settings - Setup > Develop > Sites > [your site name] -- what is shown for Clickjack Protection Level there? If you edit the site and set that to "Allow framing by any page (no protection)" does that allow your iframed Sites page to work?