Canvas Developer Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Getting Started
Using Canvas
Canvas SDK
Referencing the Canvas SDK
Authentication
Getting Context in Your Canvas App
Cross-Domain XHR
Alternatives to Cookies for User Tracking
Resizing a Canvas App
Implementing Canvas App Events
Using Streaming API in a Canvas App
Debugging in a Canvas App
Using the <select> Tag in a Canvas App
Canvas Apps and Visualforce Pages
Lightning Component Code Examples
Canvas Apps in a Page Layout or a Mobile Card
Canvas Apps in the Publisher
Canvas Apps in the Chatter Feed
Canvas in the Salesforce Mobile App
Customizing Your App Lifecycle
Reference
PDF

Alternatives to Cookies for User Tracking

When creating websites and applications, the HTML <iframe> element lets you display third-party content within the current page window. As modern browsers have increased privacy for end users, the iframe structure is becoming more scrutinized and restricted. Third-party applications exposed as Canvas apps are surfaced in the Salesforce user interface via an iframe. To avoid problems loading your Canvas apps in Salesforce, design applications that don’t rely on cookies, session storage, or local storage to track users.

Cookies and other storage have traditionally been reliable ways to add application state on top of the state-less HTTP protocol. However, cookies and storage also allow applications to track users in ways that users don’t suspect. Modern browsers are working to enhance privacy and security on the web. Applications written years ago may not behave the same way in modern browsers or when used in iframe containers by applications, such as Salesforce. In the past, content hosted in an iframe would access its own storage, as if it was hosted in a first-party context. Browsers now treat content hosted in an iframe as third-party applications.

Third-party applications exposed as Canvas apps work outside of Salesforce, but when exposed in Salesforce via an iframe, the content may not load properly because the content is served from a different domain. Browsers place tracking and user-privacy restrictions on these applications when they’re used in Salesforce. For example:

  • Cookies are not sent in page requests and XHRs.
  • Session storage and local storage access are denied.
  • JavaScript APIs, such as alert() and confirm(), are blocked.

To avoid problems late in development, test Canvas apps in a Salesforce container early. To design applications that don’t rely on cookies, session storage, or local storage to track users, build your Canvas apps as single-page applications (SPAs).

One side effect of not using cookies or storage is that you may not be logged into your application in multiple tabs. If SPAs don’t work for your development scenarios, ask your users to temporarily allow tracking for the browser where your Canvas app is used. Modifying settings in your web browser typically affects all websites, not just Salesforce. In Chrome and Firefox, you may add specific domains to always allow cookies, and can instruct your users to do the same. See this list of Salesforce’s standard domains, and add any third-party applications domains.

Warning

Use the Signed Request for Authentication

SPAs work with Canvas and iframes. These applications don’t use page-level navigation after their first page load. Instead, they dynamically rewrite the page as the user interacts, which means that the same JavaScript execution context is kept for the lifetime of the app. To authorize users within your application, use the CanvasRequest object. After the first request, store the authorization token for your app in JavaScript instead of in cookies or local storage. Authorize HTTPS requests using authorization headers through the fetch() or XMLHttpRequest standard web APIs.

See Signed Request Authentication for details on the CanvasRequest object.

Single-page applications can also request temporary access to cookies and other tracking data using the Storage Access API. This API relies on explicit user interaction to allow access to cookies. Access is granted until the application navigates, which is why a single-page application is preferred over multi-page applications.

The storage access API is not available in all browsers, and behaves differently in each browser. See Storage Access API for details.

Note

Stay Up-to-Date with Browser Changes

Different browsers behave differently and are actively changing their behaviors as privacy on the web evolves. Refer to each browser’s guidelines for the most up-to-date information.