Here are the steps to reproduce on a Winter 13 sandbox:
Create the following VisualForce component called TestClickJackComponent:
<apex:component >
<!-- Begin Default Content REMOVE THIS -->
<h1>Congratulations</h1>
This is your new Component
<!-- End Default Content REMOVE THIS -->
</apex:component>
Create the following VisualForce page called TestClickJack:
<apex:page StandardController="Lead">
<!-- Begin Default Content REMOVE THIS -->
<h1>Congratulations</h1>
This is your new Page
<!-- End Default Content REMOVE THIS -->
<c:TestClickJackComponent />
</apex:page>
Add the page to your lead page layout. You'll see:
Congratulations This is your new Page Congratulations This is your new Component
Now go to Enable Setup-Security Controls – Session Settings and select Enable clickjack protection for non-setup customer Visualforce pages
Now you'll see:
URL No Longer Exists You have attempted to reach a URL that no longer exists on salesforce.com.
So, my question is - is this a bug? Or is it expected behavior with the new clickjacking protection?
Attribution to: kibitzer
Possible Suggestion/Solution #1
I would assume with click-jacking that SFDC URLs are white-listed. However, because all browsers enforce cross origin policies, click jacking should only be an issue between pages on the same domain and iframe.
However, it could be that standard pages are on a different domain than custom VF page domain.
So, I just did something similar, dropped a VF page with a standard controller Lead
onto the lead layout:
Enable clickjack protection for non-setup Salesforce pages - no issues
Enable clickjack protection for non-setup customer Visualforce pages - same error: URL doesn't exist.
Seems like the 2nd option (checked with or without both) causes this error: So it looks like it's stopping the iframe from accessing VF pages when the 2nd option is checked, which I would assume is the expected behavior
Attribution to: jordan.baucke
Possible Suggestion/Solution #2
Have received further reliable information from Salesforce.
This is the expected behavior, at least for now. They will be looking into it further.
The workaround is to be sure to set ShowHeader = false on the page tag for the VisualForce page.
From my perspective, the real failure here is in communication. A failure to make it very clear in the documentation and release notes that this problem does apply to Visual Force pages on page layouts, a failure to clearly document the workaround (it's not even mentioned in the release notes), a failure to give organizations and ISVs lead time that this issue was coming so they'd have time to validate code and put in the necessary updates before user's turn on this feature an go into a panic when everything breaks. A failure of the support organization (I opened a case and got back that this was a "feature" - but without any note of the workaround).
Attribution to: kibitzer
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/1387