Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Specify Trusted Domains for Inline Frames

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Specify Trusted Domains for Inline Frames

            To allow external sites to load your Visualforce pages or surveys in an inline frame (iframe), add the domain to an allowlist in Session Settings.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To modify session security settings: Customize Application

            This topic covers inline framing for Visualforce pages. To specify trusted domains for Experience Cloud sites and Salesforce Sites, see Enable Clickjack Protection for Experience Builder Sites and Enable Clickjack Protection in Site.com in Salesforce Help

            Note
            Note Some infrastructure limits the maximum size of HTTP headers. If you allow multiple domains to frame content served by your org, keep the size of the CSP header under 12 KB. Salesforce customers report issues when the header size approaches 16 KB, and third parties often add to the header during processing.
            1. Determine the domains that you trust to frame your Visualforce pages.

              When you determine the external domains to allowlist, remember to include these domain types.

              1. Custom domains—Domains that you own, such as https://www.example.com that serve your site content.
                You can find your custom domains on the Domains page in Setup. For more information, see View Your Custom Domain Details in Salesforce Help.
              2. Visualforce pages delivered by a managed package.
                These pages use the URL format MyDomainName--PackageName.vf.force.com in production and MyDomainName--SandboxName--PackageName.sandbox.vf.force.com in a sandbox. To find the URL formats for other non-production orgs, see Partitioned Domains in Salesforce Help.

                To get the package names for the package-delivered Visualforce pages for your org, use the Namespace Prefix column on the Visualforce Pages page in Setup.

                Note
                Note Visualforce pages in Salesforce-delivered packages use c as the package name and aren’t treated as external sites.
            2. From Setup, in the Quick Find box, enter Session Settings, and then select Session Settings.
            3. In the Trusted Domains for Inline Frames section of the Session Settings Setup page, click Add Domain.
            4. Enter the domain.
              Acceptable formats are example.com, https://example.com, and *.example.com.
            5. Select the allowed IFrame Type for this domain.
              1. To allow the specified domain to load Visualforce pages in an iframe, select Visualforce Pages and save your changes.
                If clickjack protection is enabled for the Visualforce page, the domain is added to the Content Security Policy (CSP) frame-ancestors HTTP response header for the corresponding Visualforce pages. For example, 'self' abc.com *.my.site.com. For more information, see Enable Clickjack Protection for Visualforce Pages in Salesforce Help.

                If clickjack protection isn’t enabled for the Visualforce page, then all external websites can load the Visualforce page in an iframe. For more information, see Configure Clickjack Protection in Salesforce Help.

              2. To allow the specified domain to load surveys in an iframe, select Surveys and save your changes.
                The domain is added to the CSP frame-ancestors HTTP response header for Survey pages. For example, 'self' abc.com *.my.site.com.
              3. To allow the specified domain to load disclosures in an iframe, select Disclosure and Compliance Hub Connector and save your changes.
            6. To edit a domain in your Trusted Domains for Inline Frames list, click Edit for that domain.
            7. To delete a domain in your Trusted Domains for Inline Frames list, click Del for that domain.

            To load authenticated Visualforce pages in an iframe, additional steps are required. See Put Visualforce Pages on External Domains in the Visualforce Developer Guide.

            See Also

             
            Loading
            Salesforce Help | Article