Add Clickjack Protection for Legacy Browsers to Visualforce Pages Without Page Header Is Now Enforced (Critical Update)
Several security settings add clickjack protection to Visualforce pages. This critical update affects two of these settings. The Enable clickjack protection for customer Visualforce pages with headers disabled setting, located inin Setup, enables clickjack protection on an org’s Visualforce pages that set the page’s showHeader attribute to false. The Clickjack Protection Level setting, located in in Setup, enables clickjack protection for Visualforce pages displayed in Force.com Sites.
With this update enabled, Visualforce ensures that, when necessary, the expected markup and code are added to the page regardless of the page’s API setting. This update allows all Visualforce pages to respect the org or site’s clickjack protection settings.
This critical update has no effect on pages that set the page’s contentType attribute to any value besides “text/html” or “text/xhtml”.