Salesforce summer 16 - page not loading in iframe
I just went through some docs and i want to share that:
1.Reason of error: See these links:
- Apex:iFrame in visualforce page stopped working since Summer 15 release
- IFrame or Web Tab content displays blank page
It says:
Description: Clickjacking attacks, and defenses like X-Frame-options, which are rising in popularity, are preventing iframes from being a valid way to display content. Since using an iframe is no longer possible, well give you more information on what your options are.
Resolution: Salesforce has also implemented its own defenses to "Clickjacking" attacks within the native UI. Due to this, the iFraming of Salesforce, or the iFraming of some external websites may no longer be possible. Modern browsers are forced to defend against this new kind of attack, where framing is used by malicious attackers to compromise a browser and potentially steal customer data.
Workaround: If you're encountering this problem, instead of using a web tab, a custom link can deliver the URL with the behavior set to:
Display in new window.
Display in existing window without sidebar or header.
I haven't tested this issue myself. Probably I will give it a try and will come up with something better. Let me know if you get these points.
I have a compelling reason to believe this is a summer '16 bug because there are additional error messages beyond the CSP error. All VF pages even if they don't contain an Iframe generate an error indicating that a necessary header is being ignored,
Invalid 'X-Frame-Options' header encountered when loading 'https://c.gus.visual.force.com/apex/iFrame_Test_New_VF?sfdcIFrameHost=web&i…=p1&sfdcIFrameOrigin=https%3A%2F%2Fgs0.lightning.force.com&t=1462982731709': 'ALLOW-FROM https://gs0.lightning.force.com' is not a recognized directive. The header will be ignored.
This X-Frame-Options header is meant to whitelist additional salesforce domains for use within iframes. I have reported the bug to Salesforce and am awaiting a response, will update if I get confirmation.