Skip to main content

KI-118

Enabling clickjack protections for Visualforce pages causes document workflows to become unresponsive

Created date

04/04/2024

Updated date

04/12/2024

Status

Done

Related work item

PLTFM-2599

Description

Enabling clickjack protections prevents iframes from loading during document workflows, causing the workflows to become unresponsive. Komodo Health therefore recommends not enabling clickjack protections for Visualforce pages. However, if you do wish to enable clickjack protections, follow Salesforce’s instructions on how to Enable Clickjack Protection for Visualforce Pages.

Affects version(s)

All versions

Impacted capabilities

N/A

Steps to reproduce

  1. In Setup, search for and select Session Settings.

  2. In the Clickjack Protection section, check both of the following:

    • Enable clickjack protection for customer Visualforce pages with standard headers

    • Enable clickjack protection for customer Visualforce pages with headers disabled

  3. Click Save.

  4. On a document, start a workflow and assign a task to a user.

  5. In the last screen of the Start Workflow modal, click Start.

Notice how the workflow modal keeps loading until the page becomes unresponsive. The workflow doesn’t run as expected and the task is not assigned to the user.

Workaround

To ensure that workflows run as expected, do not enable clickjack protection. However, if you do wish to enable clickjack protection in your Salesforce environment, make sure you add the trusted Visualforce domain(s) to your Salesforce allowlist. Reference the resolution notes for more information.

Fix version

N/A

Resolution notes

To enable clickjack protection in your Salesforce environment, add the base URL of your Salesforce environment as a trusted domain for inline frames. For more information, reference Salesforce’s document on how to Specify Trusted Domains for Inline Frames or follow the steps below:

  1. In Setup, search for and select Session Settings.

  2. In the Clickjack Protection section, make sure that the following are not checked:

    • Enable clickjack protection for customer Visualforce pages with standard headers

    • Enable clickjack protection for customer Visualforce pages with headers disabled

    If they are already checked, uncheck them, click Save, and stay on the Session Settings page.

  3. In the Trusted Domains for Inline Frames section, click Add Domain.

  4. In the Domain field, enter the base URL of your Salesforce environment.

  5. In the IFrame Type field, leave the selection as Visualforce pages.

  6. Click Save. You will return back to the Session Settings page.

  7. In the Clickjack Protection section, check the two checkboxes listed in Step 2.

  8. Click Save.

You will be able to start document workflows as usual.