[SalesForce] Winter 13 Clickjacking protection – is the following expected or a bug

Here are the steps to reproduce on a Winter 13 sandbox:

Create the following VisualForce component called TestClickJackComponent:

<apex:component >
<!-- Begin Default Content REMOVE THIS -->
This is your new Component
<!-- End Default Content REMOVE THIS -->

Create the following VisualForce page called TestClickJack:

<apex:page StandardController="Lead">
<!-- Begin Default Content REMOVE THIS -->
This is your new Page
<!-- End Default Content REMOVE THIS -->
<c:TestClickJackComponent />

Add the page to your lead page layout. You'll see:

Congratulations This is your new Page Congratulations This is your new Component

Now go to Enable Setup-Security Controls – Session Settings and select
Enable clickjack protection for non-setup customer Visualforce pages

Now you'll see:

URL No Longer Exists You have attempted to reach a URL that no longer
exists on salesforce.com.

So, my question is – is this a bug? Or is it expected behavior with the new clickjacking protection?

Best Answer

Have received further reliable information from Salesforce.

This is the expected behavior, at least for now. They will be looking into it further.

The workaround is to be sure to set ShowHeader = false on the page tag for the VisualForce page.

From my perspective, the real failure here is in communication. A failure to make it very clear in the documentation and release notes that this problem does apply to Visual Force pages on page layouts, a failure to clearly document the workaround (it's not even mentioned in the release notes), a failure to give organizations and ISVs lead time that this issue was coming so they'd have time to validate code and put in the necessary updates before user's turn on this feature an go into a panic when everything breaks. A failure of the support organization (I opened a case and got back that this was a "feature" - but without any note of the workaround).