
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
The X-Frame-Options HTTP response header controls whether a web page can be displayed inside an HTML <iframe> element on another domain. Salesforce-hosted sites and pages include specific X-Frame-Options values in their HTTP responses. When the value is set to DENY or SAMEORIGIN, the browser blocks the content from loading inside an iframe. You may see an error similar to: 'http://some.custom.url/' refused to connect — the site set 'X-Frame-Options' to 'SAMEORIGIN'.
The X-Frame-Options header has three possible values:
If a Salesforce page carries SAMEORIGIN, it cannot be embedded in an iframe on a non-Salesforce domain, because the domain of the embedding site differs from the Salesforce domain.
The X-Frame-Options header is a browser-enforced security control. Salesforce cannot override the X-Frame-Options settings of a third-party site, and third-party sites cannot override Salesforce's settings. The behavior is enforced at the browser level based on HTTP response headers.
If you own the site you want to display within a Salesforce iframe:
salesforce.com or force.com to your site's crossdomain.xml file to permit cross-domain access.Note: Modern browsers have deprecated ALLOW-FROM in favor of the Content-Security-Policy: frame-ancestors directive. Consider using Content-Security-Policy for broader browser compatibility.
000385955