any help fixing this?
Invalid 'X-Frame-Options' header encountered when loading 'https://na35.salesforce.com/apexpages/devmode/devConsoleViewStateMetadataReceiver.apexp?sfdcIFrameOrigin=https%3A%2F%2Fc.na35.visual.force.com': 'ALLOW-FROM https://c.na35.visual.force.com' is not a recognized directive. The header will be ignored.
My Salesforce environment is configured for Salesforce single sign-on, and I would like to render a Visualforce page within an existing application web page, external to Salesforce.
By adusting the clickjack protection settings, I can render a Visualforce page in an iframe on a page external to Salesforce, but only if the browser has already authenticated to Salesforce. But if the user has not yet authenticated to Salesforce, the iframe render stops once it reaches login.salesforce.com because x-frame-options: deny tells the browser that the page may not be rendered in an iframe. Specifically, login.salesforce.com returns x-frame-options:deny on the final call to login.salesforce.com, if you're familiar with the sequence of redirects used for SSO. I can post a trace if that would help explain better.
It would be high value to be able to render visual force pages, and the associated single sign-on authentication, as an iframe.
Is this possible using a configuration setting or is there another workaround possible? Is there any possibility that this may change in a future release?