function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Eric BowdenEric Bowden 

iFrames and x-frame-options

My Salesforce environment is configured for Salesforce single sign-on, and I would like to render a Visualforce page within an existing application web page, external to Salesforce.

 

By adusting the clickjack protection settings, I can render a Visualforce page in an iframe on a page external to Salesforce, but only if the browser has already authenticated to Salesforce.  But if the user has not yet authenticated to Salesforce, the iframe render stops once it reaches login.salesforce.com because x-frame-options: deny tells the browser that the page may not be rendered in an iframe.  Specifically, login.salesforce.com returns x-frame-options:deny on the final call to login.salesforce.com, if you're familiar with the sequence of redirects used for SSO.  I can post a trace if that would help explain better.

 

It would be high value to be able to render visual force pages, and the associated single sign-on authentication, as an iframe.

 

Is this possible using a configuration setting or is there another workaround possible?  Is there any possibility that this may change in a future release?

 

Best Answer chosen by Admin (Salesforce Developers) 
Eric BowdenEric Bowden

Figured it out....  me and fiddler just needed a little more quality time together.

 

From the fiddler trace, I could see that the Salesforce logon/session cookies were not being persisted when the site was included in an iframe.  The issue was that cookies are not enabled for a site within an iframe, by default, in IE.  So, though my issue initially appeared to be with the x-frame-options at login.salesforce.com, the issue was actually caused by the login session cookie not being persisted in the browser for an iframe.  In the problem flow, Salesforce was not recognizing the login as valid (as expected) and redirecting back to login.salesforce.com where the x-frame-options were set to Deny.  The x-frame-options are not an issue for this case.

 

The solution, which I think will work for me, is to have *.salesforce.com in a higher trust setting in IE (e.g. Trusted Sites) which will allow cookies to be persisted.  I'll need to test other browsers and hope to find a similar setting or that cookies are not blocked for iframes.

 

Cheers,

Eric

All Answers

Eric BowdenEric Bowden

Figured it out....  me and fiddler just needed a little more quality time together.

 

From the fiddler trace, I could see that the Salesforce logon/session cookies were not being persisted when the site was included in an iframe.  The issue was that cookies are not enabled for a site within an iframe, by default, in IE.  So, though my issue initially appeared to be with the x-frame-options at login.salesforce.com, the issue was actually caused by the login session cookie not being persisted in the browser for an iframe.  In the problem flow, Salesforce was not recognizing the login as valid (as expected) and redirecting back to login.salesforce.com where the x-frame-options were set to Deny.  The x-frame-options are not an issue for this case.

 

The solution, which I think will work for me, is to have *.salesforce.com in a higher trust setting in IE (e.g. Trusted Sites) which will allow cookies to be persisted.  I'll need to test other browsers and hope to find a similar setting or that cookies are not blocked for iframes.

 

Cheers,

Eric

This was selected as the best answer
Missy LongshoreMissy Longshore
Hi Eric and anyone else, 
I have an issue that may be related... I'm working on a force.com sites page and just got this back from my client's web developers... I've had SFDC disable clickjack protections but it didn't work; should I ask them to allow a higher trust setting? Any other advice? Thanks!

The "X-Frame-Options" header needs to be set on the page being embedded in the iFrame (not the calling/parent page), which would be the page being delivered from the "rocketshiphr.force.com" domain.

"X-Frame-Options" is used on pages to control if, and when, a page can be displayed in an iFrame.  Currently, the page coming from "rocketshiphr.force.com" has this set to "SAMEORIGIN", which is why this is not working.  Whoever is responsible for "rocketshiphr.force.com" will need to remove the "X-Frame-Options" header completely.  The "ALLOW-FROM" option is not fully supported across all browsers, so it is not recommended to use that method.

You will need to contact "force.com" about this matter as there is nothing we can do on our end to have this work.  If "force.com" cannot do this, then the only other option you have is to provide a link on that page that points to the URL you are trying to embed in the iFrame.
Alina Radu 9Alina Radu 9
Hi Eric,

I'm interested in accesing a salesforce page into an iframe on an external application. From where I can configure clickjack settings in order to allow me to access the page and not sent the X-FRAME-OPTIONS header?

Thank you,
Alina
Azhar BeebeejaunAzhar Beebeejaun
Alina,

Clickjack protection settings are available at Setup > Administer > Security Controls > Session Settings.
Scott Ellis 9Scott Ellis 9
I'm having an issue in Chrome with Lightning Experience turned on. Most of the Lightning Content in Setup is not displaying - I get X-FRAME-OPTIONS error: Refused to display 'https://mysite-dev-ed.my.salesforce.com/?ec=302&startURL=%2Fwalkthrough%2Fcross-domain-local-storage.jsp' in a frame because it set 'X-Frame-Options' to 'DENY'. I will continue to investigate, but if anyone has a suggestion...
Jaap Branderhorst 12Jaap Branderhorst 12
Have a similar problem as Scott reports when I turn on my domain with Lightning for Gmail. Lighting for Gmail loads in an iFrame and apparently the login page of Salesforce doesn't want to load inside that iFrame if my domain is turned on. 
Srivani GorthiSrivani Gorthi
How to clear the issue facing in chrome? I couldn't get the issue cleared even in firefox
 
Jasmine Narula 1Jasmine Narula 1
Hi,
Add the vf page url into the CORS.

This worked for me.
 
Alejandro HartochAlejandro Hartoch
I cannot find Clickjack protection setting in my developer account. has this been removed?