Print this page

Embedded Visualforce pages are displayed when preference "Enable clickjack protection for customer Visualforce pages with headers disabled" is enabled

Knowledge Article Number 000232434
Description "Enable clickjack protection for customer Visualforce pages with headers disabled" setting was introduced in Summer '15. When this setting is enabled, Visualforce pages with showHeader="false" added to a home page layout are not displayed as documented, but Visualforce pages with showHeader="false" embedded into an object's page layout get displayed even when this setting is enabled.
 
Resolution Embedded Visualforce pages are retrieved via a self-posting form and markup is then inserted inside an iframe, which is not affected by the "Enable clickjack protection for customer Visualforce pages with headers disabled" setting.

When a Visualforce page is added to a home page layout, it gets loaded via an iframe's src attribute:
 
<iframe frameborder="no" height="500px" id="06620000000Lzre" marginheight="0" marginwidth="0" name="06620000000Lzre" scrolling="no" src="https://<instance>.visual.force.com/apex/VisualforcePageName?..." title="Visualforce page's label" width="100%"></iframe>
 

In this case, the X-FRAME-OPTIONS: SAMEORIGIN response header present when the setting "Enable clickjack protection for customer Visualforce pages with headers disabled" is enabled prevents the browser from displaying the contents of the VF page.

However, when a Visualforce page is embedded into an object's layout, the content of the Visualforce page is retrieved via a self-posting form to /servlet/servlet.Integration, and it is rendered inside a HTML component (an "iframe"), which isn't prevented by the browser:
 
<iframe frameborder="no" height="150px" id="066g0000000Dbxm" marginheight="0" marginwidth="0" name="066g0000000Dbxm" scrolling="yes" title="VisualforcePageName" width="100%"> 
</iframe> 
<form action="https://<instance>.visual.force.com/servlet/servlet.Integration?lid=066g0000000Dbxm&amp;ic=1&amp;linkToken=..." id="echoScontrolForm_066g0000000Dbxm" method="post" name="echoScontrolForm_066g0000000Dbxm" target="066g0000000Dbxm" > 
... 
</form> 
<script>document.forms['echoScontrolForm_066g0000000Dbxm'].submit() 
</script>




promote demote