ClickJack Protection for Salesforce

ClickJack Protection for Salesforce

ClickJacking name sounds like an unfamiliar jargon for those who have never heard of it. Let me clarify it for you, it is a technique used for hacking. Clickjacking, also known as UI redressing, is in the click fraud category and is a method used by criminal hackers to make users unknowingly perform certain actions by clicking on buttons or links. The objectives of clickjacking include the control of other people’s PCs as well as the redirection of users to paid content or fraudulent websites.

On the ClickJacked page, the users think they are clicking buttons corresponding to the bottom layer, while they are actually performing actions on the hidden page on top.

Following is an example of a Clickjacked Frame:


Vulnerable Page:


The styles with the border Red is actually doing the magic by making the frame Hidden. As a user you don’t see this form because the attacker cleverly set the transparency of the iFrame to 0, rendering it invisible. Next, the attacker modified the CSS properties of the iFrame to position it directly on top of the button. When a user clicks the button, the user is actually interacting with the transparent iFrame above it. Resulting in a person being banished.



The server-side header X-Frame-Options can permit or forbid displaying the page inside a frame like the one introduced in Internet Explorer® 8 called X-FRAME-OPTIONS. It must be sent by the server.It offers 3 options namely DENY, SAMEORIGIN, ALLOW-FROM


DENY: A page with any kind of iFrame will not be Loaded.

SAMEORIGIN: if the origin is the same as the content (for example, versus only then framing is allowed.

ALLOW-FROM domain: Allow inside a frame if the parent document is from the given domain. For instance, Twitter uses X-Frame-Options: SAMEORIGIN. Here’s the result: <iframe src=""></iframe>


2) Old-school defenses (weak):

The oldest defense is a bit of JavaScript which forbids opening the page in a frame (so-called “framebusting”).

That looks like this:

if (top != window) {
    top.location = window.location;

This is not a reliable defense, because there are many ways to hack around it.

3) Enable this in Salesforce:

Under the Security Controls -> Session Settings section.


How do these settings affect my Salesforce environment?

Publisher Actions that include Visualforce pages, standalone Visualforce pages, and any pages included in an <iframe> will all be controlled by your ClickJack Protection settings.

If your settings are active and your VF pages are not correctly formatted you will see this error whenever you try to view a page."URL No Longer Exists"


Visualforce page showing URL No Longer ExistsNot the most helpful error message in the world but you have a few options on what to do.

What you can to prevent this:

Discontinue displaying pages in your Salesforce environment within a frame or <iframe>. This solution is recommended.



Comments are closed.

Popular Salesforce Blogs