Visualforce Developer Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Introducing Visualforce
Tools for Visualforce Development
Getting a Quick Start with Visualforce
Compile Visualforce Successfully
Creating Your First Page
Displaying Field Values with Visualforce
Using the Visualforce Component Library
Override an Existing Page with a Visualforce Page
Redirecting to a Standard Object List Page
Using Input Components in a Page
Adding and Customizing Input Field Labels
Setting the Tab Order for Fields in a Form
Adding Dependent Fields to a Page
Create Visualforce Dashboard Components
Displaying Related Lists for Custom Objects
Enabling Inline Editing
Converting a Page to a PDF File
Building a Table of Data in a Page
Editing a Table of Data in a Page
Using Query String Parameters in a Page
Use Ajax in a Page
Put Visualforce Pages on External Domains
Customizing the Appearance and Output of Visualforce Pages
Standard Controllers
Standard List Controllers
Custom Controllers and Controller Extensions
Advanced Examples
Override Buttons, Links, and Tabs with Visualforce
Using Static Resources
Creating and Using Custom Components
Dynamic Visualforce Bindings
Dynamic Visualforce Components
Integrate Email with Visualforce
Visualforce Charting
Creating Maps with Visualforce
Render Flows with Visualforce
Templating with Visualforce
Developing Salesforce Apps with Visualforce
Adding Visualforce to a Salesforce AppExchange App
Using JavaScript in Visualforce Pages
Communicating Across the DOM with Lightning Message Service
Visualforce Best Practices
Standard Visualforce Component Reference
Appendices
PDF

Put Visualforce Pages on External Domains

To frame your Visualforce content on a trusted external domain, enable clickjack protection, and then specify the domains where you allow framing. If your Visualforce page requires authentication, use a custom domain to serve your Visualforce content on the same domain that frames the page.

Options to Frame Authenticated Visualforce Pages

When a website loads an authenticated Visualforce page in an iframe, the authentication process relies on a Salesforce session cookie. Because browsers block third-party cookies, framing an authenticated Visualforce page requires additional steps.

To frame an authenticated Visualforce page or other authenticated site content, we recommend that you use a custom domain to serve the framed content. With a custom domain, you serve your site content on a domain that you own, such as https://www.example.com. Most importantly, you can serve your authenticated content in Salesforce on the same registrable domain as the page that frames it, allowing the required session cookie when browsers block third-party cookies.

There are two methods for configuring a custom domain to serve the authenticated content.

  • Serve the authenticated content on a subdomain of the registrable domain for the site that frames the content. For example, if your website is example.com, use a custom domain to serve your authenticated site content on a subdomain such as site.example.com. This approach also works if the domain of the site that frames the content is another subdomain, such as www.example.com.
  • Set up a custom domain to serve the authenticated page on the same domain that frames it. Use a third-party service or CDN to serve the custom domain, including completing the required prerequisites. Be careful to avoid conflicts between your chosen custom URL path prefixes and other content served on the domain.

    When you use this option, include the Salesforce-served URL path prefix when you frame the content. For example, if your custom domain is example.com, to serve an Experience Cloud site page with a site path of /store, frame this URL: https://example.com/store.

If you can’t use a custom domain to serve the authenticated content, you can use Lightning Out (beta) with token-based authentication to serve the content. For more information, see Use Components Outside Salesforce with Lightning Out in the Lightning Web Components Developer Guide.

Lightning Out is a Beta Service. Customer may opt to try such Beta Service in its sole discretion. Any use of the Beta Service is subject to the applicable Beta Services Terms provided at Agreements and Terms.

Note

If those options aren’t viable, you can’t load the authenticated Visualforce page in an iframe on an external website. Open the page in a new browser window or tab instead.

Enable Clickjack Protection and Specify Trusted Domains for Inline Frames

To help protect against clickjack attacks, allow only trusted external sites to load your Visualforce pages in an inline frame (iframe).

From Setup, in the Quick Find box, search for Session Settings, and then click Session Settings. Under Clickjack Protection, select Enable clickjack protection for customer Visualforce pages with headers disabled and Enable clickjack protection for customer Visualforce pages with standard headers.

Then under Trusted Domains for Inline Frames, add the trusted external domains where you allow framing and set the iframe type to Visualforce Pages. Ensure that your domain names meet format requirements. You can add up to 512 external domains.

After you add external domains to the list, Visualforce pages render with the X-Frame-Options and Content-Security-Policy HTTP headers set to allow framing by those domains.

Example HTML

This code shows how to frame a Visualforce page on an external domain.

<html>
    <head></head>
    <body>
        <iframe src="https://MyDomainName--PackageName.vf.force.com/apex/iframe"></iframe>
    </body>
</html>