Prepare for Critical Update: Clickjack Protection for Legacy Browsers for Visualforce Pages Without Page Header

In about a weeks time, a Critical Update called Clickjack Protection for Legacy Browsers for Visualforce Pages Without Page Header (Critical Update) will come into effect. This CU extends clickjack protection for legacy version browsers for Visualforce pages that set showHeader="false"  when those pages are configured on API versions older than 27.0.

Clickjack protection is added to VF pages through several security settings, and two of them are affected by this CU:

  • Setup | Security | Session Settings > “Enable clickjack protection for customer Visualforce pages with headers disabled” enables clickjack protection on an org’s Visualforce pages that set the page’s showHeader attribute to false; and
  • Setup | Develop | Sites > “Clickjack Protection Level” enables clickjack protection for Visualforce pages displayed in Force.com Sites.

While the X-Frame-Options HTTP header protects most browsers from clickjack attacks, older versions of IE, for example, don’t respect that header. Some HTML and JavaScript code are therefore added to the page to extend this clickjack protection to older browsers.

Here’s the problem. When you set the Visualforce page’s showHeader attribute to false, VF pages with API version 26.0 and earlier don’t include the necessary HTML and JavaScript to protect legacy browsers from clickjack attacks. This protection is omitted even when the org or the site is configured to include that clickjack protection!

That’s where the CU comes in – it ensures that the expected html markup and JavaScript code are placed on the Visualforce page regardless of its API version, making all pages compliant with the org’s clickjack protection settings.

Figure out which pages are affected:

Navitage to Settings | Develop | Visualforce Pages. Create a new view to show pages whose API version is ‘less or equal’ to 26.0, save it and run it. If you have no pages listed in here, you’re good!

If you have results, you need to make sure your pages are compliant. Open each Visualforce page. If the page’s contentType attribute is not "text/html"  or "text/xhtml" , the page is fine. Check the next.

Specifically, you’re going to be looking for pages that have showHeader  attribute set to false.

If the page has a hardcoded <head>  attribute, this page is likely to have problems. To resolve, manually hardcode a static <html>  and <body> tag in the page, and set the applyHtmlTag  and applyBodyTag  attributes of <apex:page>  to false.

When you activate the CU on a sandbox you’re going to want to test every page, but pay special attention to those that fall into the last category.

Author: Matt

Matthew is a highly accomplished and award-winning programmer who is well versed in a variety of the hottest technologies powering today's most successful companies. With 11+ years of experience, Matthew has done it all: from the most rudimentary tasks to complex implementations of entire applications, CRMs, and pieces thereof. Today he spends his time mastering salesforce.com administration, development, and implementation as he mediates between stakeholders and project owners to successfully interface a complex company in a complex industry.

Leave a Reply

Your email address will not be published. Required fields are marked *