Why refused to display in a frame because it set ‘X-Frame-Options' to 'sameorigin'?

3.8K    Asked by AnishaDalal in Salesforce , Asked on Apr 22, 2021

My requirement is to show a standard VF page into a Custom Visualforce page. I am using apex:iframe with 'src' parameter and the value as relative url to the standard VF page. However it does not give any error at compile time but at the runtime it only shows a blank page. Then I opened the developer console on the browser, it shows an error. That says "Refused to display 'https://ap2.salesforce.com/001' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'".

This is my iframe. 
Answered by Angela Baker

You cannot display a part of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page. This is a security feature to prevent click-jacking.



"Enable clickjack protection for customer Visualforce pages with headers disabled"
in Setup > Security Controls > Session Settings
 Hope this will help!

Your Answer

Answer (1)

The X-Frame-Options HTTP header is used to control whether a browser should be allowed to render a page in a ,