[SalesForce] Problem with iframe for visualforce page in Lightning Component

I am embedding a Visualforce page from a managed package into a Lightning Component using an iFrame. This is throwing an XSS error when a community user attempts to access the page.

I have replaced the actual domain name with clientdomain for customer confidentiality.

Refused to display 'https://clientdomain–flex.cs82.my.salesforce.com/?ec=302&startURL=%2Fvisual…land–flex–b25.cs82.visual.force.com%252Fapex%252Fb25__lightning_calendar' in a frame because it set 'X-Frame-Options' to 'DENY'.

In the Lightning component I have got the URL hardcoded as

https://clientdomain--flex--b25.cs82.visual.force.com/apex/lightning_calendar"

The community users are logging into a site with the domain as

https://flex-clientdomain.cs82.force.com

If I can replace the hardcoding of the domain in the Lightning component I suspect this may fix the problem as the user is not authenticated to SF on that domain, but when I have tried using a string like

/visual.force.com/apex/lightning_calendar

or

/apex/lightning_calendar

It throws an error with Invalid page where the component is embedded in a community page.

Best Answer

I was looking for the answer to this as well and i found this. For your code you would have to do

<iframe src="../apex/lightning_calendar" ></iframe>

instead of

<iframe src="/apex/lightning_calendar" ></iframe>

it is an odd work around

Related Solutions

[SalesForce] oAuth from VF Page in New Lightning – Cannot redirect vf page (iFrame) to login.salesforce.com

I usually also set

pr.setRedirect(true);

to make the redirect happen clientside (instead of serverside) so that's worth a try. See for more info here.

What I would suggest is creating a public property on the controller to store the authURL

public String redirectURL { get; set; }

then doing the redirect in Javascript. For this, you'll need rendering the redirectURL in a div (you can't rerender javascript, it will become non-functional CDATA), and do the redirect using something like this

<apex:outputPanel id='redirectURLwrapper'>
    <div id='redirectURL'>{!redirectURL}</div>
</apex:outputPanel>

<script>
    function tryRedirect() {
        var redirect = document.getElementById("redirectURL")[0].innerHTML;
        if (redirect) { top.location.href = redirect; }
    }
</script>

<apex:actionFunction action="{! }" reRender="redirectURLwrapper" oncomplete="tryRedirect();" />

We use top.location.href to make the redirect happen at the top (browser-screen) level, so not inside the iFrame. I have not tested this code literally, but you should get the idea.

If you don't want to lose your existing page, you could also open the URL in a new window like so

<script>
    var windowObjectReference;
    function tryRedirect() {
        var redirect = document.getElementById("redirectURL")[0].innerHTML;
        if (redirect) { 
            windowObjectReference = window.open(redirect, 'newWindowName');                    
        }
        // the popup window should close itself in the return window. If that is not possible, then poll the windowObjectReference and after you detect a redirect, call windowObjectReference.close(); to close it
    }
</script>

Does that help?

[SalesForce] How to pass the parameters from VF Page into Lightning Component

Probably you'll find an answer there:

"For the same-origin policy every browser blocks any script trying to access a frame with a different origin... Protocol, hostname and port must be the same of your domain, if you want to access a frame". SecurityError: Blocked a frame with origin from accessing a cross-origin frame

Related Topic