Loading
Extend Salesforce with Clicks, Not Code
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable Clickjack Protection in Site.com

            You are here:

            1. Salesforce Help
            2. Docs
            3. Extend Salesforce with Clicks, Not Code

            Enable Clickjack Protection in Site.com

            Clickjacking is a type of attack that tricks users to click something, such as a button or link, because they perceive they are clicking something safe. Instead, the button or link performs malicious actions on your site, leading to data intrusion, unauthorized emails, changed credentials, or other site-specific results. Hidden iframes can be placed maliciously on site pages and entice users to click a button or link that appears below the hidden iframe. With clickjack protection, you can configure whether your browser allows external domains to frame your Site.com site pages.

            Required Editions

            Available in: Salesforce Classic

            Available for purchase in: Enterprise, Performance, and Unlimited Editions

            Available (with limitations) in: Developer Edition
            User Permissions Needed
            To build, edit, and manage Site.com sites:

            Site.com Publisher User field enabled on the user detail page

            AND

            Site administrator or designer role assigned at the site level
            Note
            Note To configure clickjack protection for Experience Cloud sites, see Enable Clickjack Protection in Experience Cloud Sites.
            1. In Site.com Studio, click Site Configuration | Edit.
            2. Select your preferred level of clickjack protection.
              • Allow framing by any page (no protection): The least secure level. All external domains can frame your site pages.
              • Allow framing of site pages on external domains (good protection): Only trusted external domains can frame your site pages. You specify the domains that you trust in the Trusted Domains for Inline Frames list.
              • Allow framing by the same origin only (recommended): The default level for Site.com sites. Allows framing of site pages by pages with the same domain name and protocol security.
              • Don’t allow framing by any page (most protection): The most secure level, but this option can cause certain pages to appear as blank pages. To avoid this issue, use the default setting instead.
            3. Save your changes.
            4. If you chose to allow framing of your site pages on external domains, specify the domains that you trust to frame each site’s pages.
              1. From Setup in Salesforce Classic, enter Sites in the Quick Find box, and then select Sites.
              2. Click the site label to open the Site Details page.
              3. Click Add Trusted Domain in the Trusted Domains for Inline Frames section and enter the domain you want to allow iframes on.

                You can add up to 512 domains.

                Some infrastructure limits the maximum size of HTTP headers. If you allow multiple domains to frame your site pages, keep the size of the CSP header under 12 KB. Salesforce customers report issues when the header size approaches 16 KB, and third parties often add to the header during processing.

                Tip
                Tip Added domains take effect only when Allow framing of site pages on external domains (good protection) is selected.
            Note
            Note Internet Explorer supports clickjack protection through the legacy X-Frame-Options HTTP Header only. This header supports sameorigin, deny (none), allowall, and allow-from uri. In particular, allow-from uri supports only one URI.

            To support a list for IE users, the framing site must identify itself to the site domain by passing in a query parameter in the iframe tag. For example, if you add https://www.example.com as a trusted external domain and your site URL is https://MyDomainName.my.site.com, then the page on https://www.example.com must make its iframe as follows:

            <iframe src="https://MyDomainName.my.site.com?_iframeDomain=https://www.example.com"></iframe>

            You can also set the trusted external domain in the iframeDomain cookie. This method allows iframes if the _iframeDomain URL variable isn’t saved when navigating between pages in IE.

            Cookie iframeDomainCookie = ApexPages.currentPage().getCookies().get('iframeDomain');

if (iframeDomainCookie == null) {
    iframeDomainCookie = new Cookie('iframeDomain','www.example.com');

    // Set the new cookie for the page
    ApexPages.currentPage().setCookies(new Cookie[]{iframeDomainCookie});
}

            See Also

             
            Loading
            Salesforce Help | Article