Apex Code Development You need to sign in to do that
Don't have an account?
Prit Kang 8 Salesforce summer 16 - page not loading in iframe
We have a salesforce app exchange listed application. In this we are opening certain application pages in iframe. I was working fine in lightning till spring 16. There is documentation that this was done to prevent clickjacking
https://help.salesforce.com/apex/HTViewSolution?urlname=IFRAME-or-Web-Tab-Content-Displays-Blank-Page-1327107637323
We were testing our app in the new summer 16 org as the release is around the corner and we found none of our pages are opening in iframe when lightning is turned ON. Its working in the classic mode though
We found that the error we got in the browser console was of a Content Security Policy (CSP) frame-ancestors 'self'
To test this I created 2 example pages to check what happens if I hardcode the page url and try to open in an Iframe.
When I try to open Page 1 I got an error "Refused to display 'https://cs3.lightning.force.com/one/one.app#/apex/TestFrameInternal' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." (TestFrameInternal is a test page I am opening in iframe in another test page)
Now I am confused about this content security policy as it allows iframing but only when frame-ancestor is self. I need to understand if I have understood this content security policy correctly and will I be able to open visualforce pages in iframe in lightning ui in summer 16 or not.
What i don't understand is the content security policy. it talks about "frame-ancestors 'self'" which means a page can be loaded in iframe if the parent's domain is the same are the page in iframe. This is confusing for me as the iframe is still not loading if I ensure the both the domains are same.
https://help.salesforce.com/apex/HTViewSolution?urlname=IFRAME-or-Web-Tab-Content-Displays-Blank-Page-1327107637323
We were testing our app in the new summer 16 org as the release is around the corner and we found none of our pages are opening in iframe when lightning is turned ON. Its working in the classic mode though
We found that the error we got in the browser console was of a Content Security Policy (CSP) frame-ancestors 'self'
To test this I created 2 example pages to check what happens if I hardcode the page url and try to open in an Iframe.
When I try to open Page 1 I got an error "Refused to display 'https://cs3.lightning.force.com/one/one.app#/apex/TestFrameInternal' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." (TestFrameInternal is a test page I am opening in iframe in another test page)
Now I am confused about this content security policy as it allows iframing but only when frame-ancestor is self. I need to understand if I have understood this content security policy correctly and will I be able to open visualforce pages in iframe in lightning ui in summer 16 or not.
What i don't understand is the content security policy. it talks about "frame-ancestors 'self'" which means a page can be loaded in iframe if the parent's domain is the same are the page in iframe. This is confusing for me as the iframe is still not loading if I ensure the both the domains are same.
I just tested this and its working for me in Summer'16 org. Can you give me a repro where its not working?
LC:
<aura:component implements="force:appHostable">
<aura:handler name="init" value="{!this}" action="{!c.init}"/>
<div>
<ui:button label="Send to VF iFrame" press="{!c.send}"/>
</div>
<iframe src="/apex/iframeDemo" aura:id="iframe"/>
</aura:component>
({
init : function() {
window.addEventListener("message", function(e) {
alert(e.data);
}, false);
},
send : function(component) {
var iframe = component.find("iframe").getElement();
iframe.contentWindow.postMessage("Hello from Lightning", "*");
}
})
/apex/iframeDemo:
<apex:page showHeader="false">
VF Page iFrame Demo
<button onclick="send" id="send">Send to Lightning</button>
<script>
window.addEventListener("message", function(e) {
alert(e.data);
}, false);
document.getElementById("send").addEventListener("click", function() {
parent.postMessage("Hello from Visualforce in an iFrame", "*");
});
</script>
</apex:page>