I have a Visualforce with embeded page from the Moodle site but in the Production I got this error in console log
Refused to display 'https://learn.psa.org.au/enrol/index.php?id=2848'
in a frame because it set 'X-Frame-Options' to 'sameorigin'.
but in the sandbox its works fine
Force.com Sites have click-jack settings set up on a per-site basis. You need to change yours to "Allow framing by any page (no protection)"
SalesForce stopped supporting the displaying of reports in iFrames in Spring '14. They also introduced the Reporting API in this release. Try using the analytics:reportChart tag to display your report. Example:
<analytics:reportChart reportId="00OZ0000000I3rc"/>
Best Answer
Actually Clickjack protection secures your Visualforce pages against user interface redress attacks.
Salesforce provide 2 ways to apply this protection:
ShowHeader=trueSo Clickjack protection is implemented by salesforce by adding a X-Frame-Options: SAMEORIGIN header to Visualforce pages. When headers are suppressed by setting showHeader="false" on a page, this header isn’t added to the page, and clickjack protection is disabled.
But what if you want this protection to be enabled also you don't want to show header as well, for this salesforce has provided global setting:
Enable clickjack protection for customer Visualforce pages with headers disabled
under Setup | Security Controls | Session Settings
Enabling clickjack protection for Visualforce pages has some side effects. When this header is activated, only pages served from the Visualforce domain can wrap Visualforce pages in an , or otherwise embed Visualforce pages.
You have two options for handling existing framed Visualforce pages.