Site failing to display within an iFrame
|Knowledge Article Number||000182205|
|Description||Whether or not a site displays within an iFrame is dependent on the site's X-Frame-Options parameter that is passed along with the request. Depending on this parameter, the site will either display, not display, or display with limitations. Here is an example error:
Refused to display 'http://some.custom.url/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
The browser's security controls will also be a factor.
|Resolution||Here is an excellent resource from Mozilla that highlights the different options of the X-Frame-Options parameter, along with the implications of each:
When a site carries the "DENY' or "SAMEORIGIN" page, that either prohibits the site from being displayed in an iFrame altogether, or it requires that the iFrame displaying this URL be a member of the same domain (origin) as the site itself. For example, if you try to display one of these sites within a Salesforce iFrame and you encounter the SAMEORIGIN parameter, that means the site is not permitted to run on Salesforce, as the domain of Salesforce and the domain of the host site are different.
Note: There is no solution for this as this is enforced by browsers based on headers. If you own the site that you are trying to add via iFrame then you can send the headers stating that your site might be added by others, or add salesforce.com or force.com in crossdomain.xml.