I usually also set
pr.setRedirect(true);
to make the redirect happen clientside (instead of serverside) so that's worth a try. See for more info here.
What I would suggest is creating a public property on the controller to store the authURL
public String redirectURL { get; set; }
then doing the redirect in Javascript. For this, you'll need rendering the redirectURL in a div (you can't rerender javascript, it will become non-functional CDATA), and do the redirect using something like this
<apex:outputPanel id='redirectURLwrapper'>
<div id='redirectURL'>{!redirectURL}</div>
</apex:outputPanel>
<script>
function tryRedirect() {
var redirect = document.getElementById("redirectURL")[0].innerHTML;
if (redirect) { top.location.href = redirect; }
}
</script>
<apex:actionFunction action="{! }" reRender="redirectURLwrapper" oncomplete="tryRedirect();" />
We use top.location.href to make the redirect happen at the top (browser-screen) level, so not inside the iFrame. I have not tested this code literally, but you should get the idea.
If you don't want to lose your existing page, you could also open the URL in a new window like so
<script>
var windowObjectReference;
function tryRedirect() {
var redirect = document.getElementById("redirectURL")[0].innerHTML;
if (redirect) {
windowObjectReference = window.open(redirect, 'newWindowName');
}
// the popup window should close itself in the return window. If that is not possible, then poll the windowObjectReference and after you detect a redirect, call windowObjectReference.close(); to close it
}
</script>
Does that help?
Actually Clickjack protection secures your Visualforce pages against user interface redress attacks.
Salesforce provide 2 ways to apply this protection:
- By enabling a global setting
- Keeping salesforce default header in your page that is
ShowHeader=true
So Clickjack protection is implemented by salesforce by adding a X-Frame-Options: SAMEORIGIN header to Visualforce pages. When headers are suppressed by setting showHeader="false" on a page, this header isn’t added to the page, and clickjack protection is disabled.
But what if you want this protection to be enabled also you don't want to show header as well, for this salesforce has provided global setting:
Enable clickjack protection for customer Visualforce pages with headers disabled
under Setup | Security Controls | Session Settings
Enabling clickjack protection for Visualforce pages has some side effects. When this header is activated, only pages served from the Visualforce domain can wrap Visualforce pages in an , or otherwise embed Visualforce pages.
You have two options for handling existing framed Visualforce pages.
- Discontinue displaying these pages within a frame or . This
solution is recommended.
- Don’t enable clickjack protection for your Visualforce pages. This
option allows you to continue framing Visualforce pages, but the
pages are vulnerable to clickjack attacks. This option isn’t
recommended.
Best Answer
Looks like there is a know Issue for this https://success.salesforce.com/issues_view?id=a1p3A000001HlBdQAK