Friday, 8 April 2016

What is ClickJack Protection

What is ClickJack Protection?

This blog post came thanks to an email from Jamie Cooper at NewVoiceMedia.

Amongst the hundreds of new features within Summer 15 you may well have missed the notification around ClickJack Protection.

However, now that ClickJack Protection is 'Default On' for ORGs, (controlled via Setup > Security Controls > Session Settings) you may come across this type of issue more often going forward.

"URL No Longer Exists"

This post will try to explain ClickJack and how it affects pages in your Salesforce environment.

What is ClickJacking?

ClickJacking is method which hackers use to trick internet users to click a button or link that isn't what they believe it is. 

For instance, you might be on a website that has a 'Checkout with PayPal' button. Clicking that button may take you to a site that looks like PayPal but is in fact completely fictitious. The 'scammers' are hoping that you will enter your information into this fake site so that they can use it.

For more information on ClickJacking, check out this WikiPedia page.

What does ClickJack Protection do?

ClickJack protection in Salesforce is there to prevent a page, button, or link from appearing in your Salesforce page that is actually coming from a totally different environment.

Going back to the PayPal example, imagine that you were looking at an Account record and there was a malicious button on the page that would copy all of those account details through to a 3rd party. It completely makes sense that Salesforce would introduce security controls to prevent that happening.

After Summer 15, Salesforce allows administrators to set the clickjack protection for a site to one of these levels:
  1. Allow framing by any page (no protection)
  2. Allow framing by the same origin only (recommended)
  3. Don’t allow framing by any page (most protection)
For more information on these settings check out the Salesforce Help Doc.

How do these settings affect my Salesforce environment?

Publisher Actions that include Visualforce pages, standalone Visualforce pages and any pages included in an Iframe will all be controlled by your ClickJack Protection settings.

If your settings are active and your VF pages are not correctly formatted you will see this error whenever you try to view a page.
"URL No Longer Exists"
Visualforce page showing URL No Longer Exists
Not the most helpful error message in the world but you have a few options on what to do.

You can:
  • Discontinue displaying pages in your Salesforce environment within a frame or <iframe>. This solution is recommended.
  • Don’t enable clickjack protection for your Visualforce pages. This option allows you to continue framing Visualforce pages, but the pages are vulnerable to clickjack attacks. This option isn't recommended.
More information from the Summer release notes.

Check Security Settings

Conclusion

Security settings on Salesforce will always evolve/improve as new threats and vulnerabilities are identified and remedied. 

Whenever feasible, I always recommend that you activate/update the latest security settings in your environment but check any possible impacts on your existing set-up before doing so.

But, next time a user reports a "URL No Longer Exists" error check your ClickJack settings first!

Icon from Iconfinder, artist Vista