Find your content:

Search form

You are here

Upcoming "clickjacking" protection


There is a new alert on the Partnerforce portal that is letting partners know of the upcoming "clickjack protection" for non-setup pages in Winter '13. It seems to be stating that if a customer turns this on, ALL framed/iframed pages (Visualforce or otherwise) will stop working.

Does anybody have any more information on this? If I'm reading it correctly, it's going to be an unusable feature for any customer who either has installed a package that uses frames or has done their own custom implementation using frames or iframes. I've personally seen dozens of customers who do this.

If this is the case, I hope SFDC at least has it turned off by default and boldly warns anyone who turns it on that it is likely to break pages if they use frames anywhere.

Does anybody know anything? It sounds like a feature which could potentially break a LOT of managed package features but is seemingly not getting much press. I posted this question in the official Visualforce forum but got no response.

Attribution to: jkraybill

Possible Suggestion/Solution #1

There's more on this in the Winter '13 release notes.

Interpreting the release notes, it looks like you have to go in and enable the settings. The release notes do inform the user that some pages may display as blank.

Clickjacking Protection Available

You can enable protection against clickjack attacks (also known as user interface redress attacks) for non-setup pages and your custom Visualforce pages. Setup pages already include protection against clickjack attacks. Click Your Name > Setup > Security Controls > Session Settings to select:
Enable clickjack protection for non-setup Salesforce pages Enable clickjack protection for customer Visualforce pages with standard headers Enable clickjack protection for customer Visualforce pages with headers disabled

It’s possible that pages will either display as a blank page or without the frame if either of these settings is enabled and either of the following conditions exists:

  • Your organization displays user interface pages within a frame or iframe.

  • You use custom Visualforce pages within a frame or iframe.

The behavior varies depending on your browser and its version. To ensure that these pages will continue to work correctly in your organization, discontinue displaying these pages within a frame or iframe.

Attribution to: Peter Knolle

Possible Suggestion/Solution #2

It's my understanding that VF pages that use the standard controller are the only ones that will be affected by the new click jacking setting.

Attribution to: jordan.baucke

Possible Suggestion/Solution #3

I do know that it can optionally be disabled on a per-org basis under Session Settings.

I did just get unofficial word that it does default to ON, although I'm not confident this is really the case yet.

What technical details we do have come from this bit:

Custom Visualforce pages with the showHeader attribute in the apex:page element set to true within a frame or iframe.

This implies there will be a somewhat standard frame buster script inserted on every visualforce page with showHeader="true" and all standard SFDC pages.

Outside of a leak directly from R&D I think this is the extent of the available information.

Attribution to: ca_peterson
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content