FAQ-000796 - External Content and Iframe Security / Iframe Sandboxing and Security Controls

Iframe sandboxing is required when dynamic content is hosted externally and embedded into a Visualforce page to ensure it's not associated with a Salesforce domain. This helps maintain security boundaries and prevent code interference. Exceptions aren't made for internal Salesforce pages—all scripts and resources must adhere to the security policies, including being stored in static resources. Even if your application iframes a trusted, internal page, you still need to implement iframe sandboxing to comply with Salesforce's security policies.

The FAQ content is accurate and well-structured. The only minor improvement is replacing 'are not made' with the more conversational contraction 'aren't made' to align with the brand and tone guidelines that recommend using contractions for a more natural, conversational style. This makes the text sound more like advice from a knowledgeable colleague rather than formal documentation. No security rules from the available list directly apply to this FAQ topic. While there are rules related to external content loading (LoadJavaScriptHtmlScript, LoadJavaScriptIncludeScript, LoadCSSLinkHref, etc.), those rules focus on detecting when external resources are loaded via specific code patterns, whereas this FAQ discusses the general security requirement for iframe sandboxing when embedding external content in Visualforce pages. The FAQ addresses a Salesforce platform security policy rather than detectable code patterns that would trigger security scanner rules.