[SalesForce] Upcoming “clickjacking” protection

There is a new alert on the Partnerforce portal that is letting partners know of the upcoming "clickjack protection" for non-setup pages in Winter '13. It seems to be stating that if a customer turns this on, ALL framed/iframed pages (Visualforce or otherwise) will stop working.

Does anybody have any more information on this? If I'm reading it correctly, it's going to be an unusable feature for any customer who either has installed a package that uses frames or has done their own custom implementation using frames or iframes. I've personally seen dozens of customers who do this.

If this is the case, I hope SFDC at least has it turned off by default and boldly warns anyone who turns it on that it is likely to break pages if they use frames anywhere.

Does anybody know anything? It sounds like a feature which could potentially break a LOT of managed package features but is seemingly not getting much press. I posted this question in the official Visualforce forum but got no response.

Best Answer

There's more on this in the Winter '13 release notes.

Interpreting the release notes, it looks like you have to go in and enable the settings. The release notes do inform the user that some pages may display as blank.

Clickjacking Protection Available

You can enable protection against clickjack attacks (also known as user interface redress attacks) for non-setup pages and your custom Visualforce pages. Setup pages already include protection against clickjack attacks. Click Your Name > Setup > Security Controls > Session Settings to select:
Enable clickjack protection for non-setup Salesforce pages Enable clickjack protection for customer Visualforce pages with standard headers Enable clickjack protection for customer Visualforce pages with headers disabled

It’s possible that pages will either display as a blank page or without the frame if either of these settings is enabled and either of the following conditions exists:

  • Your organization displays Salesforce.com user interface pages within a frame or iframe.

  • You use custom Visualforce pages within a frame or iframe.

The behavior varies depending on your browser and its version. To ensure that these pages will continue to work correctly in your organization, discontinue displaying these pages within a frame or iframe.

Related Topic