Spring '15 - Clickjack protection update on Reports and Dashboards
Trailblazer Community

Spring '15 - Clickjack protection update on Reports and Dashboards

VisualForce , Spring 15

Last updated 2017-04-14 ·Reference W-2396080 ·Reported By 34 users

Fixed - Spring '15

What update was rolled out in Spring '15?

In Spring '14 release, the auto activation of Clickjack Protection for Non-Setup Pages occurred in February 2014:

Since the release we identified that Reports and Dashboard non-setup pages were not identified and included in the original security critical update. In Spring '15, we have rolled out the necessary fixes for these non-setup pages and they are now included under the clickjack protection security feature under Setup > Security Controls > Session Settings.

Why is this important?
If Clickjacking is disabled on reports, this means that a report page could be iframed on a malicious domain without a customer's knowledge. This can lead to them performing actions like delete reports without them even realizing it.

Please note that this issue is independent from Visualforce page Homepage Components: https://success.salesforce.com/issues_view?id=a1p30000000T4jRAAS

Up until Spring '15 you may have had Visualforce pages utilizing iframes to display Reports or Dashboards like so.

<iframe src="/{!ReportId}" name="Standard Report page iframed"/>

Since Clickjack protection is enabled, you will now see a response or error in Chrome console (for example) like the following:

Refused to display 'https://{instance}.salesforce.com/01Z............' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Unfortunately, there isn't a way to iframe a dashboard or report into a Visualforce page anymore.

You must load the content within it's serving domain, for example:
You can have a link to the report/dashboard to open in a new window or the current document by using the target attribute within the <apex:commandLink> component or <a> tag

If you have any suggestions on what to implement in a future release please use our IdeaExchange site to log suggestions on new features/changes to release in a future release. The more votes on an Idea, the more visibility it will have with it's related team in Salesforce and be taken under consideration.

For example:
https://success.salesforce.com/ideaView?id=08730000000l5khAAA - Suggestion "We are asking that this be fixed so that URLs from standard and visualforce pages are NOT flagged as being from different servers, avoiding the ClickJacking critical update completely"
https://success.salesforce.com/ideaView?id=08730000000jxbtAAA - Suggestion "Visualforce page component that could accept the id of a dashboard and output it"

Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.