Spring ’14 Clickjack Protection for Non-Setup Pages Auto-Enabled
Trailblazer Community

Spring ’14 Clickjack Protection for Non-Setup Pages Auto-Enabled

Last updated 2021-04-19 ·Reference W-1627471 ·Reported By 42 users

In Review

Summary
What is the change?
Previously, to protect against clickjacking for non-setup Salesforce pages, the Administrator had to select Enable clickjack protection for non-setup Salesforce pages under Setup > Security Controls > Session Settings. In parallel, there was was a Critical Update released into customer orgs that will enable this setting. When the customer activates this critical update, clickjack protection for non-setup Salesforce pages will be enabled automatically for their organization. Otherwise, on the auto-activation date, the protection will be enabled for all organizations by default. The Critical Update is set to auto activate in all orgs in February 2014.

Repro
What is the impact to a commercial app developer?
As an ISV, if your application displays non-setup Salesforce pages within a frame or <iframe>, it’s possible that the pages will either display as a blank page or without the frame after clickjack protection is enabled. The behavior varies depending on your browser and its version. Although there are reasons to frame pages, framed pages can be used by hackers.

Additionally, if your customer has decided to frame your app from another domain, this will cause your application to stop loading the pages properly.

To ensure that these pages will continue to work correctly, discontinue displaying these pages within a frame or iframe.

Workaround
How can I get more information?
Information regarding this change will be available in the Spring ’14 Release Notes. Check the Releases for Partners page (http://p.force.com/releases) for updates on the status of the release notes. If you have a particular question, please log a case or consult with your ISV AE or TE to discuss your specific situation.

Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.