[SalesForce] How to embed external Web Application URL and navigate through the external URL webpages in salesforce

I am trying to frame external web application URL in salesforce using webtab, I am unable to connect to the external web application.

I have tried the following steps to mitigate issue but i am still getting the same error message, any help would be appreciated.

I have Setup the External Web URL in CORS
I have Setup the External Web URL in RemoteSite Settings

Error message which i encountering is:

Refused to frame 'https://XYZ.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Any help would be appreciated.

Best Answer

It sounds like the external site has a "self" content security policy and therefore can never be embedded in an iframe on a page originating from a different site (such as Salesforce in your case). This is getting more common since it is a way to mitigate against XSS and clickjacking.

You need to look at the documentation for the external system you wish to embed to see if it provides a means to change this policy. If it doesn't, you will never be able to embed it and will have, instead, to simply provide a button to open the external system in a separate browser tab/window. If it allows you to add your Salesforce org URL(s) as trusted sites on that external system you can then probably do what you want.

Related Solutions

[SalesForce] How to call a Salesforce REST URL from Lightning Component

Marty is correct, although I would like to temper the description of this being "unfortunate" a bit with some background on why the security policy is in place. In order for us to satisfy our internal security audits and architectural reviews which allowed us, for the first time ever in our presentation layer, to provide a supported mechanism to allow salesforce authored code and customer/ISV/partner authored code to coexist in the same JavaScript space we had to tighten things down significantly. Here are some of the things currently enforced:

Content security policy, or CSP, a relatively new browser technology that allows us to have fine-grained control over access to all external references to scripts, images, stylesheets, etc. Our policy is extremely restrictive right now and not extensible but we had plans to open up a white listing capability in the near future.
Lightning applications are served from a separate domain in much the same manner that visual force pages are today. The difference here is that you are actually in the same application, running right next to our client-side code and not relegated to live in an iframe silo. Those silos have presented significant challenges around producing high performance, high fidelity, engaging user experiences that integrates directly into core salesforce functionality for many years.
The lightning application separate domain also uses a special lightning session ID that does not have direct API access. The fact that you can currently provide indirect access to a fully API capable session ID is a great example of why our content security policy is currently so restrictive. Leaking an API said back to the client in a way that malicious JavaScript can easily steal is precisely why we have things locked down so tightly today. What should happen if you attempted to serialize an API session ID from an apex controller? That session ID is supposed to be the same restricted access Aura session ID but we apparently have a leak in that underlying logic. Our belt and suspenders approach with CSP combined with serving from a separate domain actually thwarted this potential attack.

Why did we do these things? Most of it boils down to "protect Setup". Without these safeguards in place is almost trivial for malicious client side code to gain height and privileges and access to administrative level functionality by remote controlling the setup user interface Also, much of what we have done so far represent cross site scripting (XSS) attack countermeasures.

There is definitely much more to the story but hopefully this gives you some of the back story to better understand our decisions and direction. This is not the end, rather just the beginning, and we are hard at work on improving and refining our approach to balancing the security requirements that we have to satisfy along with providing all of you with the tools that you need to build what you want.

[SalesForce] Playing Audio files attached to Opportunities in a Lightning Component

This is working for me. Do you have different settings? I tested this on Chrome browser. Also this is on Spring'17 environment.

HelloWorldApp.app:

<aura:application extends="force:slds">
    <c:PlayAudioFile></c:PlayAudioFile>
</aura:application>

PlayAudioFile.cmp:

<aura:component >
    <audio src="https://john-dev-ed--c.na31.content.force.com/servlet/servlet.FileDownload?file=00P37000008SP6U" 
            autoplay="true">
    </audio>
</aura:component>

I don't see any CSP errors in the console.

EDIT:

If there are any CSP errors in the console, URL needs to be whitelisted in security controls(setup) as OP mentioned in the below comments.

Best Answer

Related Solutions

[SalesForce] How to call a Salesforce REST URL from Lightning Component

[SalesForce] Playing Audio files attached to Opportunities in a Lightning Component

Related Topic