I have a Visualforce with embeded page from the Moodle site but in the Production I got this error in console log
Refused to display 'https://learn.psa.org.au/enrol/index.php?id=2848'
in a frame because it set 'X-Frame-Options' to 'sameorigin'.
but in the sandbox its works fine
Best Answer
Actually Clickjack protection secures your Visualforce pages against user interface redress attacks.
Salesforce provide 2 ways to apply this protection:
ShowHeader=true
So Clickjack protection is implemented by salesforce by adding a X-Frame-Options: SAMEORIGIN header to Visualforce pages. When headers are suppressed by setting showHeader="false" on a page, this header isn’t added to the page, and clickjack protection is disabled.
But what if you want this protection to be enabled also you don't want to show header as well, for this salesforce has provided global setting:
Enable clickjack protection for customer Visualforce pages with headers disabled
under Setup | Security Controls | Session Settings
Enabling clickjack protection for Visualforce pages has some side effects. When this header is activated, only pages served from the Visualforce domain can wrap Visualforce pages in an , or otherwise embed Visualforce pages.
You have two options for handling existing framed Visualforce pages.