{"id":11332,"date":"2025-09-02T11:49:46","date_gmt":"2025-09-02T11:49:46","guid":{"rendered":"https:\/\/www.greytrix.com\/blogs\/salesforce\/?p=11332"},"modified":"2025-09-02T11:49:47","modified_gmt":"2025-09-02T11:49:47","slug":"clickjack-protection-in-salesforce-why-your-iframe-wont-load","status":"publish","type":"post","link":"https:\/\/www.greytrix.com\/blogs\/salesforce\/2025\/09\/02\/clickjack-protection-in-salesforce-why-your-iframe-wont-load\/","title":{"rendered":"Clickjack Protection in Salesforce: Why Your iFrame Won\u2019t Load"},"content":{"rendered":"\n<p>Embedding web pages inside an iframe is a common technique used to display dashboards, third-party applications, or custom content within Salesforce. While this approach enhances user experience by bringing everything together on a single screen, many developers and admins often face a frustrating issue: the iframe content doesn\u2019t load.<\/p>\n\n\n\n<p>In most cases, this happens because of <strong>Salesforce\u2019s built-in clickjack protection<\/strong> a vital security mechanism that prevents malicious attacks.<\/p>\n\n\n\n<p>This blog explains what clickjacking is, how Salesforce defends against it, why your iframe may fail to load, and how you can configure your org to safely allow iframes when required.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">What is Clickjacking<\/mark><\/strong> <strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">?<\/mark><\/strong><\/h2>\n\n\n\n<p>Clickjacking is a cyberattack where users are tricked into clicking on hidden or misleading elements overlaid on a webpage. Attackers typically use transparent iframes or disguised layers to trick users into performing harmful actions such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modifying account settings<\/li>\n\n\n\n<li>Authorizing unintended financial transactions<\/li>\n\n\n\n<li>Revealing sensitive data<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">How Salesforce Protects Against Clickjacking<\/mark><\/strong> <\/h2>\n\n\n\n<p>Salesforce implements multiple layers of protection to mitigate clickjacking risks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>UI Clickjack Protection<\/strong> \u2013 Prevents Salesforce pages from being embedded in iframes on unauthorized sites.<\/li>\n\n\n\n<li><strong>API Clickjack Protection<\/strong> \u2013 Blocks API requests originating from untrusted iframe sources.<\/li>\n\n\n\n<li><strong>Frame-Ancestor Controls<\/strong> \u2013 Salesforce sets Content Security Policy (CSP) headers to restrict which domains are allowed to embed Salesforce pages.<\/li>\n<\/ul>\n\n\n\n<p>By default, Salesforce only permits its own domains to frame Salesforce content.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Why Your iFrame Doesn\u2019t Load in Salesforce<\/mark><\/strong><\/h2>\n\n\n\n<p>If you are embedding an external page inside a Visualforce page or Lightning component using an iframe and it fails to load, the reasons could include:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>The target site blocks framing<\/strong> \u2013 Many websites use X-Frame-Options: DENY or SAMEORIGIN, preventing their pages from being embedded.<\/li>\n\n\n\n<li><strong>Salesforce clickjack settings<\/strong> \u2013 Your Salesforce org may be blocking the content due to CSP restrictions or unapproved domains.<\/li>\n\n\n\n<li><strong>Mixed content issues<\/strong> \u2013 Browsers block insecure HTTP content from loading inside secure HTTPS Salesforce pages.<\/li>\n<\/ol>\n\n\n\n<center><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/1.-Iframe-not-loading-issue.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" class=\"size-full\" style=\"border: 1px solid #A9A9A9; padding: 2px; margin: 2px; align: center;\" src=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/1.-Iframe-not-loading-issue.png\" alt=\"Iframe Load Failure\"><\/a><\/center><font size=\"2\"><center><i> Iframe Load Failure <\/i><\/center><\/font>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">How to fix iFrame Loading Issues in Salesforce<\/mark><\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Review Clickjack Protection Settings<\/li>\n<\/ol>\n\n\n\n<p>Navigate to:<br>Setup \u2192 Session Settings \u2192 Clickjack Protection<\/p>\n\n\n\n<p>Here you\u2019ll find options as shown in the image below to configure iframe protection:<\/p>\n\n\n\n<center><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/2.-Enable-Clickjack-protection.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" class=\"size-full\" style=\"border: 1px solid #A9A9A9; padding: 2px; margin: 2px; align: center;\" src=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/2.-Enable-Clickjack-protection.png\" alt=\"Enable Clickjack Protection\"><\/a><\/center><font size=\"2\"><center><i> Enable Clickjack Protection<\/i><\/center><\/font>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Note:<\/p>\n<cite>Disabling clickjack protection can expose your org to security risks \u2014 proceed with caution.<\/cite><\/blockquote>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Whitelist Trusted Domains<\/li>\n<\/ol>\n\n\n\n<p>Salesforce allows you to whitelist trusted domains to embed Salesforce pages in iframes or allow your Visualforce pages to embed external content.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to Setup \u2192 CSP Trusted Sites<\/li>\n\n\n\n<li>Add the external domains you want to enable for iframe use<\/li>\n<\/ul>\n\n\n\n<center><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/3.Add-Trusted-URL.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" class=\"size-full\" style=\"border: 1px solid #A9A9A9; padding: 2px; margin: 2px; align: center;\" src=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/3.Add-Trusted-URL.png\" alt=\"Add Trusted URL\"><\/a><\/center><font size=\"2\"><center><i> Add Trusted URL <\/i><\/center><\/font>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Use Lightning Web Components (Preferred)<\/li>\n<\/ol>\n\n\n\n<p>Instead of embedding entire web pages, a more secure option is to use <strong>Lightning Web Components (LWC)<\/strong> with API integrations. LWCs can fetch data from external systems and render it natively in Salesforce, avoiding iframe-related issues altogether.<\/p>\n\n\n\n<p>Let\u2019s say you want to show product inventory from an external system inside a Salesforce page.You can build a Lightning Web Component that calls the external system\u2019s API and renders the data in native Salesforce UI. For Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>javascript\n\/\/ inventoryViewer.js\nimport { LightningElement, track } from 'lwc';\n\nexport default class InventoryViewer extends LightningElement {\n    @track inventory;\n\n    connectedCallback() {\n        fetch('https:\/\/api.example.com\/inventory')\n            .then(res =&gt; res.json())\n            .then(data =&gt; {\n                this.inventory = data;\n            })\n            .catch(error =&gt; {\n                console.error('Error fetching inventory:', error);\n            });\n    }\n}\n\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>html\n&lt;!-- inventoryViewer.html --&gt;\n&lt;template&gt;\n    &lt;template if:true={inventory}&gt;\n        &lt;ul&gt;\n            &lt;template for:each={inventory.items} for:item=\"item\"&gt;\n                &lt;li key={item.id}&gt;{item.name} \u2014 {item.quantity} in stock&lt;\/li&gt;\n            &lt;\/template&gt;\n        &lt;\/ul&gt;\n    &lt;\/template&gt;\n&lt;\/template&gt;<\/code><\/pre>\n\n\n\n<p>After applying the recommended settings and configurations, your iframe or embedded content should load smoothly within Salesforce. Below is an example screenshot showing a successful iframe load, confirming that the clickjack protection and CSP settings are correctly configured:&nbsp;<\/p>\n\n\n\n<center><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/4.Iframe-loaded.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" class=\"size-full\" style=\"border: 1px solid #A9A9A9; padding: 2px; margin: 2px; align: center;\" src=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-content\/uploads\/2025\/09\/4.Iframe-loaded.png\" alt=\"Iframe Loaded Successfully\"><\/a><\/center><font size=\"2\"><center><i> Iframe Loaded Successfully <\/i><\/center><\/font>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Best Practices<\/mark><\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use iframes sparingly due to their inherent security risks.<\/li>\n\n\n\n<li>Regularly audit your org\u2019s <strong>CSP Trusted Sites<\/strong> and <strong>Clickjack Protection<\/strong> settings.<\/li>\n\n\n\n<li>Always test iframe integrations in a sandbox before deploying to production.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Conclusion<\/mark><\/strong><\/h2>\n\n\n\n<p>Clickjack protection is a crucial Salesforce security feature that shields users from malicious attacks, but it can also prevent iframe content from loading. By understanding Salesforce\u2019s security framework and applying the right configurations such as whitelisting trusted domains, adjusting CSP settings, or using LWCs you can embed external content securely and seamlessly.<\/p>\n\n\n\n<p>Following these best practices ensures your Salesforce org remains both <strong>secure and user-friendly.<\/strong><\/p>\n\n\n\n<p>By following the steps above, Clickjack Protection in Salesforce. If you still have queries or any related problems, don\u2019t hesitate to contact us at <a href=\"mailto:salesforce@greytrix.com\" target=\"_blank\" rel=\"noreferrer noopener\">salesforce@greytrix.com<\/a>. More details about our integration product are available on <a href=\"https:\/\/www.greytrix.com\/salesforce-cloud-services\/\" target=\"_blank\" data-type=\"link\" data-id=\"https:\/\/www.greytrix.com\/salesforce-cloud-services\/\" rel=\"noreferrer noopener\">our website<\/a> and <a href=\"https:\/\/appexchange.salesforce.com\/listingDetail?listingId=a0N30000000psM5EAI\" target=\"_blank\" rel=\"noreferrer noopener\">Salesforce AppExchange<\/a>.<\/p>\n\n\n\n<p>We hope you find this blog resourceful and helpful. However, if you still have concerns and need more help, please contact us at <a href=\"mailto:salesforce@greytrix.com\" target=\"_blank\" rel=\"noreferrer noopener\">salesforce@greytrix.com<\/a>.<\/p>\n\n\n\n<p style=\"text-align: justify\"><b>About Us<\/b><\/br>\n<p><a href=\"https:\/\/www.greytrix.com\/\">Greytrix<\/a> \u2013 a globally recognized and one of the oldest Sage Development Partner and a Salesforce Product development partner offers a wide variety of integration products and services to the end users as well as to the Partners and Sage PSG across the globe. We offer Consultation, Configuration, Training and support services in out-of-the-box functionality as well as customizations to incorporate custom business rules and functionalities that require apex code incorporation into the Salesforce platform.<br><br> Greytrix has some unique solutions for Cloud CRM such as <a href=\"\">Salesforce Sage integration<\/a> for <a href=\"https:\/\/www.greytrix.com\/sage-x3-erp\/integration\/\">Sage X3<\/a>, <a href=\"https:\/\/www.greytrix.com\/salesforce-cloud-services\/sage-100-integration\/\">Sage 100<\/a> and <a href=\"https:\/\/www.greytrix.com\/salesforce-cloud-services\/sage-300-integration\/\">Sage 300 (Sage Accpac)<\/a>. We also offer best-in-class Cloud CRM <a href=\"https:\/\/www.greytrix.com\/salesforce-cloud-services\/crm-development\/\">Salesforce customization and development services<\/a> along with services such as Salesforce <a href=\"https:\/\/www.greytrix.com\/salesforce-cloud-services\/data-migration-support\/\">Data Migration<\/a>, <a href=\"https:\/\/www.greytrix.com\/salesforce-cloud-services\/crm-development\/\">Integrated App development<\/a>, Custom App development and Technical Support business partners and end users. Salesforce Cloud CRM integration offered by Greytrix works with Lightning web components and supports standard opportunity workflow. Greytrix GUMU&#x2122; integration for Sage ERP \u2013 Salesforce is a 5-star rated app listed on <a href=\"https:\/\/appexchange.salesforce.com\/appxListingDetail?listingId=a0N30000000psM5EAI\" target=\"_blank\" rel=\"noopener\">Salesforce AppExchange<\/a>.<br> The GUMU&#x2122; Cloud framework by Greytrix forms the backbone of cloud integrations that are managed in real-time for processing and execution of application programs at the click of a button.<br><br> For more information on our Salesforce products and services, contact us at <a href=\"mailto:salesforce@greytrix.com\">salesforce@greytrix.com<\/a>. We will be glad to assist you.<\/p>\n\n\n\n<p><strong>Related Posts<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/2025\/07\/01\/smart-ways-to-successfully-debug-salesforce-flows-with-asynchronous-apex-methods\/\" target=\"_blank\" rel=\"noreferrer noopener\">Smart Ways to Debug Salesforce Flows with Asynchronous Apex methods<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/2025\/07\/01\/how-to-implement-fault-paths-in-salesforce-screen-flow\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Implement Fault Paths in Salesforce Screen Flow<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/2025\/06\/25\/how-to-rename-object-tab-and-field-labels-in-salesforce\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Rename Object, Tab, and Field Labels in Salesforce<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/2025\/04\/25\/the-ai-advantage-how-financial-institutions-are-winning-big-with-salesforce-crm\/\" target=\"_blank\" rel=\"noreferrer noopener\">The AI Advantage: How Financial Institutions are Winning Big with Salesforce CRM<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Embedding web pages inside an iframe is a common technique used to display dashboards, third-party applications, or custom content within Salesforce. While this approach enhances user experience by bringing everything together on a single screen, many developers and admins often face a frustrating issue: the iframe content doesn\u2019t load. In most cases, this happens because\u2026 <span class=\"read-more\"><a href=\"https:\/\/www.greytrix.com\/blogs\/salesforce\/2025\/09\/02\/clickjack-protection-in-salesforce-why-your-iframe-wont-load\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[2308,2305,2310,2311,2313,2302,2306,2303,2304,2307,2312,2309],"class_list":["post-11332","post","type-post","status-publish","format-standard","hentry","category-salesforce-srv","tag-api-clickjack-protection","tag-clickjack-protection-in-salesforce","tag-csp-frame-ancestor","tag-external-sites-in-iframe","tag-mixed-content-issues","tag-salesforce-clickjack-protection","tag-salesforce-csp-trusted-sites","tag-salesforce-iframe","tag-salesforce-iframe-not-loading","tag-salesforce-iframe-settings","tag-ui-clickjack-protection","tag-visualforce-iframe-issue"],"_links":{"self":[{"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/posts\/11332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/comments?post=11332"}],"version-history":[{"count":9,"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/posts\/11332\/revisions"}],"predecessor-version":[{"id":11398,"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/posts\/11332\/revisions\/11398"}],"wp:attachment":[{"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/media?parent=11332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/categories?post=11332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greytrix.com\/blogs\/salesforce\/wp-json\/wp\/v2\/tags?post=11332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}