Add Clickjack Protection for Legacy Browsers to Visualforce Pages Without Page Header Is Now Enforced (Critical Update)

Clickjack protection for legacy browsers was a critical update in Winter ’17 and was enforced for all orgs on February 10, 2017. This critical update extends legacy browser-compatible clickjack protection for Visualforce pages that set showHeader="false" and are configured to use API versions 26.0 or earlier.

Several security settings add clickjack protection to Visualforce pages. This critical update affects two of these settings. The Enable clickjack protection for customer Visualforce pages with headers disabled setting, located in Security | Session Settings in Setup, enables clickjack protection on an org’s Visualforce pages that set the page’s showHeader attribute to false. The Clickjack Protection Level setting, located in Develop | Sites in Setup, enables clickjack protection for Visualforce pages displayed in Force.com Sites.

Modern browsers are protected from clickjacking by setting the X-Frame-Options HTTP header. Legacy browsers, such as older versions of Internet Explorer, don’t respect this header. To enable clickjack protection for older browsers, some HTML markup and JavaScript code are added to the page itself.

However, when rendered without the standard Salesforce page header (by setting the page’s showHeader attribute to false), Visualforce pages set to API version 26.0 or earlier don’t include the HTML markup and JavaScript code necessary to embed the clickjack protection scripts for legacy browsers. Legacy browser clickjack protection was omitted even when the org or site was configured to include the protection.

With this update enabled, Visualforce ensures that, when necessary, the expected markup and code are added to the page regardless of the page’s API setting. This update allows all Visualforce pages to respect the org or site’s clickjack protection settings.

This critical update has no effect on pages that set the page’s contentType attribute to any value besides “text/html” or “text/xhtml”.