Allow External iframes of Visualforce Pages with Clickjack Protection

Use iframes to include Visualforce pages on external web pages while enabling clickjack protection. Whitelist the external domains that you trust to bring your Visualforce content outside the Salesforce domain. Previously, it was all or nothing: You could allow iframes of Visualforce pages on all external domains or none at all.

Where: This change applies to Lightning Experience, Salesforce Classic, and all versions of the Salesforce app in Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: In Setup, search for Session Settings. Under Clickjack Protection, select Enable clickjack protection for customer Visualforce pages either with headers disabled or with standard headers. Both these options allow framing on whitelisted external domains and provide clickjack protection.

Then under Whitelisted Domains for Visualforce Inline Frames, add the trusted external domains where you allow framing.