Visualforce Limitations in Salesforce Classic When Third-Party Cookies are Blocked

If a user’s browser blocks third-party cookies or if your org enables the Require first-party use of Salesforce cookies setting on the My Domain Setup page, then Visualforce pages in Salesforce Classic have these limitations.

• Visualforce pages can’t be loaded in Classic console apps.

• Visualforce pages can’t be embedded as Classic home page components or as page layout components.

• Visualforce pages can’t be used as Classic dashboard components.

These issues occur because loading an authenticated Visualforce page within an iframe requires a Salesforce session cookie. In Classic, the parent page can use a different domain than the embedded Visualforce page, so the session cookie is treated as a third-party cookie and is blocked.

Note: All unmanaged Visualforce pages are now served on the force.com domain when not accessing a site domain. To find out if this change affects you, see Ensure Access to Your Visualforce Pages in Summer ’24 and Winter ’25.

Several major browsers have already disabled third-party cookies by default, including Mozilla Firefox, Apple Safari, and Brave. In January 2024, Google started a gradual rollout of its Privacy Sandbox initiative, which phases out support for third-party cookies in its Chrome browser and enforces storage partitioning in third-party contexts. However, in July 2024, Google reversed its plans to completely block third-party cookies. Instead, Chrome users can decide whether to block third-party cookies.

Despite Google’s recent reversal, Salesforce moves ahead with its plans to end reliance on third-party cookies, such as moving Setup pages to the new *.salesforce-setup.com domain. Other popular browsers already block third-party cookies by default, and Salesforce expects that many enterprises and users will choose to block third-party cookies due to privacy concerns.