Enable support for Salesforce clickjack protection

  • 0
  • 1
  • Idea
  • Updated 5 months ago
When "Enable clickjack protection for customer Visualforce pages with headers disabled" is enabled per Salesforce Security recommendations the RingCentral CTI Dialer does not load in Salesforce Classic Sidebar. This can be easily fixed by following recommendation option 3 found here: https://help.salesforce.com/articleView?id=000230608&type=1&language=en_US

which is to add 
showHeader="false" applyHtmlTag="false"
to the visualforce line starting with apex:page

Unfortunately we either can't use the CTI in classic or must disable security settings that are strongly recommended until this is fixed.
Photo of Kevin Hart

Kevin Hart

  • 514 Points 500 badge 2x thumb
  • frustrated

Posted 5 months ago

  • 0
  • 1
Photo of Jitender Kumar

Jitender Kumar, Director Application Development

  • 1,636 Points 1k badge 2x thumb
Hello Kevin, 
Thanks for your note, we will check on our side. Meanwhile can you please try relative path for CTI URL in call center 

./apex/rcsfl__OpenCTIIndex999 
Photo of Kevin Hart

Kevin Hart

  • 514 Points 500 badge 2x thumb
If I use the relative path I either get the url has moved message (generic salesforce page) when expanding the utility bar for ringcentral in lightning or if I leave out the dot I get Page OpenCTIIndex999 does not exist 

Photo of Jitender Kumar

Jitender Kumar, Director Application Development

  • 1,636 Points 1k badge 2x thumb
Hi Kevin 

Our engineer tested the setup in a developer org 

Essentially the 3rd option would force VF pages to be loaded with same-origin headers. This can be suppressed by the said showHeader=”false” property on the individual VF pages.


However, the 4th option would enforce the same-origin header regardless of the showHeader property for added security. This way the org admin can completely lockdown on VF pages from any possible external origins.

Currently according to the release notes from Salesforce, the only way around this is to either disable the 4th option, or not use iFrames to embed VF pages. Unfortunately it is also Salesforce's choice to implement openCTI support with iFrames


Photo of Jitender Kumar

Jitender Kumar, Director Application Development

  • 1,636 Points 1k badge 2x thumb
Unfortunately relative path wont work for Lightning. Let me get back to you when we can make this change you suggested.
(Edited)
Photo of Kevin Hart

Kevin Hart

  • 514 Points 500 badge 2x thumb
We have successfully overcome this issue within iframes embedded on record pages with our own code by also setting: 

applyHtmlTag="false"

In addition to showHeader=”false”

such as:

(You'll need to set whichever controller is appropriate for your use of course!)

Can this be tested at least please?

Thank you again for your help!
Photo of Jitender Kumar

Jitender Kumar, Director Application Development

  • 1,636 Points 1k badge 2x thumb
Hello Kevin, 
I would like to ask, how you tested your VF page, if it is in the same Salesforce org then it has a lot less security restrictions. The challenge with our app is that since it is a third party packaged app in Salesforce, it is loaded from other subdomains of Salesforce. 
Photo of Kevin Hart

Kevin Hart

  • 514 Points 500 badge 2x thumb
This is a good point. It may be possible to add an exception for the domain in CORS or similar. It also may be that once the critical update for domain name flattening is enabled it helps this situation.