Prepare for Critical Update: Clickjack Protection for Legacy Browsers for Visualforce Pages Without Page Header
In about a weeks time, a Critical Update called Clickjack Protection for Legacy Browsers for Visualforce Pages Without Page Header (Critical Update) will come into effect. This CU extends clickjack protection for legacy version browsers for Visualforce pages that set showHeader=”false” when those pages are configured on API versions older than 27.0.
Clickjack protection is added to VF pages through several security settings, and two of them are affected by this CU:
- Setup | Security | Session Settings > “Enable clickjack protection for customer Visualforce pages with headers disabled” enables clickjack protection on an org’s Visualforce pages that set the page’s showHeader attribute to false; and
- Setup | Develop | Sites > “Clickjack Protection Level” enables clickjack protection for Visualforce pages displayed in Force.com Sites.
Figure out which pages are affected:
Navitage to Settings | Develop | Visualforce Pages. Create a new view to show pages whose API version is ‘less or equal’ to 26.0, save it and run it. If you have no pages listed in here, you’re good!
If you have results, you need to make sure your pages are compliant. Open each Visualforce page. If the page’s contentType attribute is not “text/html” or “text/xhtml” , the page is fine. Check the next.
Specifically, you’re going to be looking for pages that have showHeader attribute set to false.
If the page has a hardcoded <head> attribute, this page is likely to have problems. To resolve, manually hardcode a static <html> and <body> tag in the page, and set the applyHtmlTag and applyBodyTag attributes of <apex:page> to false.
When you activate the CU on a sandbox you’re going to want to test every page, but pay special attention to those that fall into the last category.