You need to sign in to do that
Don't have an account?
iFrames and x-frame-options
My Salesforce environment is configured for Salesforce single sign-on, and I would like to render a Visualforce page within an existing application web page, external to Salesforce.
By adusting the clickjack protection settings, I can render a Visualforce page in an iframe on a page external to Salesforce, but only if the browser has already authenticated to Salesforce. But if the user has not yet authenticated to Salesforce, the iframe render stops once it reaches login.salesforce.com because x-frame-options: deny tells the browser that the page may not be rendered in an iframe. Specifically, login.salesforce.com returns x-frame-options:deny on the final call to login.salesforce.com, if you're familiar with the sequence of redirects used for SSO. I can post a trace if that would help explain better.
It would be high value to be able to render visual force pages, and the associated single sign-on authentication, as an iframe.
Is this possible using a configuration setting or is there another workaround possible? Is there any possibility that this may change in a future release?
Figured it out.... me and fiddler just needed a little more quality time together.
From the fiddler trace, I could see that the Salesforce logon/session cookies were not being persisted when the site was included in an iframe. The issue was that cookies are not enabled for a site within an iframe, by default, in IE. So, though my issue initially appeared to be with the x-frame-options at login.salesforce.com, the issue was actually caused by the login session cookie not being persisted in the browser for an iframe. In the problem flow, Salesforce was not recognizing the login as valid (as expected) and redirecting back to login.salesforce.com where the x-frame-options were set to Deny. The x-frame-options are not an issue for this case.
The solution, which I think will work for me, is to have *.salesforce.com in a higher trust setting in IE (e.g. Trusted Sites) which will allow cookies to be persisted. I'll need to test other browsers and hope to find a similar setting or that cookies are not blocked for iframes.
Cheers,
Eric
All Answers
Figured it out.... me and fiddler just needed a little more quality time together.
From the fiddler trace, I could see that the Salesforce logon/session cookies were not being persisted when the site was included in an iframe. The issue was that cookies are not enabled for a site within an iframe, by default, in IE. So, though my issue initially appeared to be with the x-frame-options at login.salesforce.com, the issue was actually caused by the login session cookie not being persisted in the browser for an iframe. In the problem flow, Salesforce was not recognizing the login as valid (as expected) and redirecting back to login.salesforce.com where the x-frame-options were set to Deny. The x-frame-options are not an issue for this case.
The solution, which I think will work for me, is to have *.salesforce.com in a higher trust setting in IE (e.g. Trusted Sites) which will allow cookies to be persisted. I'll need to test other browsers and hope to find a similar setting or that cookies are not blocked for iframes.
Cheers,
Eric
I have an issue that may be related... I'm working on a force.com sites page and just got this back from my client's web developers... I've had SFDC disable clickjack protections but it didn't work; should I ask them to allow a higher trust setting? Any other advice? Thanks!
The "X-Frame-Options" header needs to be set on the page being embedded in the iFrame (not the calling/parent page), which would be the page being delivered from the "rocketshiphr.force.com" domain.
"X-Frame-Options" is used on pages to control if, and when, a page can be displayed in an iFrame. Currently, the page coming from "rocketshiphr.force.com" has this set to "SAMEORIGIN", which is why this is not working. Whoever is responsible for "rocketshiphr.force.com" will need to remove the "X-Frame-Options" header completely. The "ALLOW-FROM" option is not fully supported across all browsers, so it is not recommended to use that method.
You will need to contact "force.com" about this matter as there is nothing we can do on our end to have this work. If "force.com" cannot do this, then the only other option you have is to provide a link on that page that points to the URL you are trying to embed in the iFrame.
I'm interested in accesing a salesforce page into an iframe on an external application. From where I can configure clickjack settings in order to allow me to access the page and not sent the X-FRAME-OPTIONS header?
Thank you,
Alina
Clickjack protection settings are available at Setup > Administer > Security Controls > Session Settings.
Add the vf page url into the CORS.
This worked for me.