I'm trying to embed a public page from a Force.com site in an iframe on a public website. The page works as expected when I load it in its own tab, but doesn't load in the iframe — instead, I get the following error:
Refused to display 'https://DOMAIN.cs9.force.com/PREFIX/PAGE' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
This question implies that you can turn off same-origin policy checking on Visualforce pages by disabling click-jack protection, but I have already turned off click-jack protection and am still seeing this error.
Any tips or suggestions?
Best Answer
Force.com Sites have click-jack settings set up on a per-site basis. You need to change yours to "Allow framing by any page (no protection)"