Prepare for Critical Update: Clickjack Protection for Legacy Browsers for Visualforce Pages Without Page Header

Matt/ January 31, 2017/ Salesforce

In about a weeks time, a Critical Update called Clickjack Protection for Legacy Browsers for Visualforce Pages Without Page Header (Critical Update) will come into effect. This CU extends clickjack protection for legacy version browsers for Visualforce pages that set showHeader=”false”  when those pages are configured on API versions older than 27.0.

Clickjack protection is added to VF pages through several security settings, and two of them are affected by this CU:

  • Setup | Security | Session Settings > “Enable clickjack protection for customer Visualforce pages with headers disabled” enables clickjack protection on an org’s Visualforce pages that set the page’s showHeader attribute to false; and
  • Setup | Develop | Sites > “Clickjack Protection Level” enables clickjack protection for Visualforce pages displayed in Force.com Sites.

While the X-Frame-Options HTTP header protects most browsers from clickjack attacks, older versions of IE, for example, don’t respect that header. Some HTML and JavaScript code are therefore added to the page to extend this clickjack protection to older browsers.

Here’s the problem. When you set the Visualforce page’s showHeader attribute to false, VF pages with API version 26.0 and earlier don’t include the necessary HTML and JavaScript to protect legacy browsers from clickjack attacks. This protection is omitted even when the org or the site is configured to include that clickjack protection!

That’s where the CU comes in – it ensures that the expected html markup and JavaScript code are placed on the Visualforce page regardless of its API version, making all pages compliant with the org’s clickjack protection settings.

Figure out which pages are affected:

Navitage to Settings | Develop | Visualforce Pages. Create a new view to show pages whose API version is ‘less or equal’ to 26.0, save it and run it. If you have no pages listed in here, you’re good!

If you have results, you need to make sure your pages are compliant. Open each Visualforce page. If the page’s contentType attribute is not “text/html”  or “text/xhtml” , the page is fine. Check the next.

Specifically, you’re going to be looking for pages that have showHeader  attribute set to false.

If the page has a hardcoded <head>  attribute, this page is likely to have problems. To resolve, manually hardcode a static <html>  and <body> tag in the page, and set the applyHtmlTag  and applyBodyTag  attributes of <apex:page>  to false.

When you activate the CU on a sandbox you’re going to want to test every page, but pay special attention to those that fall into the last category.

Share this Post

About Matt

Matt is a seasoned Salesforce Developer / Architect, with implementations of Sales Cloud, Service Cloud, CPQ, Experience Cloud, and numerous innovative applications built upon the Force.com platform. He started coding in grade 8 and has won awards ranging from international scholarships to internal corporate leadership awards. He is 37x Certified on the platform, including Platform Developer II, B2B Solution Architect and B2C Solution Architect.