function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Issue with iFrame loading


I have a requirement to develop a visualforce page to load a website in an iFrame. The code is very straightforward 

<apex:page standardController="xxxxxx" >
<apex:form >
    <apex:iframe src="{!$Label.iFrameLink}" scrolling="true" id="theIframe"/>

I'm using custom label 'iFrameLink' for the URL. The issue is for some website domain it perfectly loads the iframe. But for some domains it doesn't. The website I have to load in iFrame is in a secured domain. I downloaded the security certificate in browser to make it work. But this created another problem. The page isn't opening in iFrame, rather its redirecting to the mentioned url.

I read in the forum some domains uses the X-Frame-Options: SAMEORIGIN header to block their site displaying in iframes. The X-FRAME-Options header is a security feature to prevent clickjacking attacks. I hope this is not the same problem as in my case the page loads, but instead of loading in iframe it reloads the entire window.

Anyone has any clue about this?

I am wondering if the new Clickjack Protection for Non-Setup Salesforce Pages which has been introduced has something to do with the issue you are facing(

"As mentioned in the doc: If your organization displays non-setup Salesforce pages within a frame or <iframe>, it’s possible that the pages will either display as a blank page or without the frame after clickjack protection is enabled."

Is the page being redirected from salesforce to the link u've mentioned in the custom label or does the link open within Salesforce but not as an iframe?
Hi Sonam,

Thanks for the quick response. Yes, the page is being redirected from to the link I've mentioned. I read through the document, so this is totally prevented from salesforce itself.

Just another thought..

I read through the session settings parameters and for the option "Enable clickjack protection for non-setup customer Visualforce pages" it says: 
"If you use custom Visualforce pages within a frame or iframe, you may see a blank page or the page may display without the frame. For example, Visualforce pages in a page layout do not function when clickjack protection is on."

The page i'm trying to load is not a VF page. When trying with VF or www pages, it works fine. It also works for certain https sites where client certificate is not required to be downloaded. But it doesn't work for our company domain page.