Skip to content

Clickjack Protection for Legacy Browsers

There is a Salesforce Critical Update that will be automatically activated in February 2017. . .  “Add Clickjack Protection for Legacy Browsers to Visualforce Pages Without Page Header.”

First, you need to understand Clickjacking. Wikipedia describes It as “a malicious technique of tricking a Web user into clicking on something different from the the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.”

A clickjack is embedded code or script that executes without the user’s knowledge. It can be as innocent as a button that appears to perform another function. It is a browser security issue exposing vulnerabilities across a variety of browsers and platforms. Salesforce is no exception.

This is an issue for older browsers that do not respect the X-Frame-Options HTTP header. Modern browsers are protected from clickjacking because they do respect this option.

With this update enabled Visualforce ensures that the expected markup and code are added to the page regardless of the page’s API setting. This allows all Visualforce pages to respect the org or site’s clickjack protection settings.

This critical update has no effect on pages that set the page’s contentType attribute to any value besides “text/html” or “text/xhtml”.

However, when rendered without the standard Salesforce header (by setting the page’s showHeader attribute to false), Visualforce pages set to API versions 26.0 or earlier didn’t include the HTML markup and JavaScript code necessary to embed the clickjack protection scripts for legacy browsers when rendered without the standard Salesforce header. Legacy browser clickjack protection was omitted even when the org or site was configured to include that protection.

Salesforce says “Several security settings add clickjack protection to Visualforce pages.”

To enable clickjack protection for older browsers, some HTML markup and JavaScript code needs to be added to the pages. Several security settings add clickjack protection to Visualforce pages.

To enable clickjack protection for Visualforce pages with the “headers disabled” setting:

  1. Navigate to  Security > Session Settings, then click the checkbox for “Enable clickjack protection for customer Visualforce pages with headers disabled” and “Enable clickjack protection for customer Visualforce pages with headers disabled.”enables clickjack protection on an org’s Visualforce pages that set the page’s showHeader attribute to false
  2. Navigate to Develop > Sites, Edit each site and choose the level of protection desired in the “Clickjack protection level” field to protect Visualforce pages displayed in Force.com Sites.

When MyOnlineAdmin is your Certified Salesforce Administrator, you need not worry about critical updates such as this. We are proactive and make sure you are protected.


Get Peace of Mind Protection