Upcoming "clickjacking" protection

There's more on this in the Winter '13 release notes.

Interpreting the release notes, it looks like you have to go in and enable the settings. The release notes do inform the user that some pages may display as blank.

Clickjacking Protection Available

You can enable protection against clickjack attacks (also known as user interface redress attacks) for non-setup pages and your custom Visualforce pages. Setup pages already include protection against clickjack attacks. Click Your Name > Setup > Security Controls > Session Settings to select:
Enable clickjack protection for non-setup Salesforce pages Enable clickjack protection for customer Visualforce pages with standard headers Enable clickjack protection for customer Visualforce pages with headers disabled

It’s possible that pages will either display as a blank page or without the frame if either of these settings is enabled and either of the following conditions exists:

  • Your organization displays Salesforce.com user interface pages within a frame or iframe.

  • You use custom Visualforce pages within a frame or iframe.

The behavior varies depending on your browser and its version. To ensure that these pages will continue to work correctly in your organization, discontinue displaying these pages within a frame or iframe.


I do know that it can optionally be disabled on a per-org basis under Session Settings.

I did just get unofficial word that it does default to ON, although I'm not confident this is really the case yet.

What technical details we do have come from this bit:

Custom Visualforce pages with the showHeader attribute in the apex:page element set to true within a frame or iframe.

This implies there will be a somewhat standard frame buster script inserted on every visualforce page with showHeader="true" and all standard SFDC pages.

Outside of a leak directly from R&D I think this is the extent of the available information.