Apex:Iframe not working in Visualforce pages. - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Chetan SharmaChetan Sharma 

Apex:Iframe not working in Visualforce pages.

I want to open the external website in an iframe in Visualforce page, But it's not working fine

Code :
<apex:iframe src="https://www.salesforce.com" scrolling="true" id="theIframe"/>

I have tried all possible ways to do so. I have included the URL in CSP Trusted Sites. Whitelisted the URL in Session settings. Tried the possible ways of enabling and disabling Clickjack Protection. But it is not working fine.

Getting the following errors:- 

Invalid 'X-Frame-Options' header encountered when loading 'https://chetandevorg-dev-ed.my.salesforce.com/apexpages/devmode/devConsoleViewStateMetadataReceiver.apexp?sfdcIFrameOrigin=https%3A%2F%2Fchetandevorg-dev-ed--c.ap5.visual.force.com': 'ALLOW-FROM https://chetandevorg-dev-ed--c.ap5.visual.force.com' is not a recognized directive. The header will be ignored.


Refused to display 'https://www.salesforce.com/in/?ir=1' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

My org API Verison is 48.0
and Salesforce release version: Summer 20
Please suggest what to do?


 
Best Answer chosen by Jayson (salesforce.com) 
Amnon KruviAmnon Kruvi
Hi Chetan,

A website can decide not to allow another website to display it in a frame. This is not something that you can control, but only the target of the frame can.

All Answers

Ankush AgarwalAnkush Agarwal
Hi Chetan,

You may go through below articles to find the possible solution:
https://help.salesforce.com/articleView?id=000325581&language=en_US&type=1&mode=1 (https://help.salesforce.com/articleView?id=000325581&language=en_US&type=1&mode=1)

https://help.salesforce.com/articleView?id=000352191&language=en_US&mode=1&type=1 (https://help.salesforce.com/articleView?id=000352191&language=en_US&mode=1&type=1)
 
Amnon KruviAmnon Kruvi
Hi Chetan,

A website can decide not to allow another website to display it in a frame. This is not something that you can control, but only the target of the frame can.
This was selected as the best answer
Chetan SharmaChetan Sharma
Thanks Amnon. You are right. At the website end our domain should be allowed to acces the particular url, in frame-ancestors configuration. 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors