Spring '15 - Clickjack protection update on Reports and Dashboards

Spring '15 - Clickjack protection update on Reports and Dashboards

VisualForce , Spring 15

Last updated 2017-04-14 ·Reference W-2396080 ·Reported By 34 users

Fixed - Spring '15

Summary
What update was rolled out in Spring '15?

In Spring '14 release, the auto activation of Clickjack Protection for Non-Setup Pages occurred in February 2014:
https://success.salesforce.com/issues_view?id=a1p30000000T2k4AAC

Since the release we identified that Reports and Dashboard non-setup pages were not identified and included in the original security critical update. In Spring '15, we have rolled out the necessary fixes for these non-setup pages and they are now included under the clickjack protection security feature under Setup > Security Controls > Session Settings.
http://www.salesforce.com/us/developer/docs/securityImplGuide/Content/admin_sessions.htm


Why is this important?
If Clickjacking is disabled on reports, this means that a report page could be iframed on a malicious domain without a customer's knowledge. This can lead to them performing actions like delete reports without them even realizing it.


Please note that this issue is independent from Visualforce page Homepage Components: https://success.salesforce.com/issues_view?id=a1p30000000T4jRAAS

Repro
Up until Spring '15 you may have had Visualforce pages utilizing iframes to display Reports or Dashboards like so.

<apex:page>
<iframe src="/{!ReportId}" name="Standard Report page iframed"/>
</apex:page>

Since Clickjack protection is enabled, you will now see a response or error in Chrome console (for example) like the following:

Refused to display 'https://{instance}.salesforce.com/01Z............' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Workaround
Unfortunately, there isn't a way to iframe a dashboard or report into a Visualforce page anymore.

You must load the content within it's serving domain, for example:
You can have a link to the report/dashboard to open in a new window or the current document by using the target attribute within the <apex:commandLink> component or <a> tag


If you have any suggestions on what to implement in a future release please use our IdeaExchange site to log suggestions on new features/changes to release in a future release. The more votes on an Idea, the more visibility it will have with it's related team in Salesforce and be taken under consideration.

For example:
https://success.salesforce.com/ideaView?id=08730000000l5khAAA - Suggestion "We are asking that this be fixed so that URLs from standard and visualforce pages are NOT flagged as being from different servers, avoiding the ClickJacking critical update completely"
https://success.salesforce.com/ideaView?id=08730000000jxbtAAA - Suggestion "Visualforce page component that could accept the id of a dashboard and output it"

Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.