FAQ-000797 - External Content and Iframe Security / Iframe Security Requirements and Best Practices

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the security requirements and best practices for using iframes in Salesforce applications?
Answer
Using iframes in Salesforce applications requires adherence to strict security requirements and best practices: **General Security Requirements:** - The application hosted within the iframe will fall under the scope of the security review - Ensure iframe content adheres to security guidelines and does not introduce vulnerabilities - All scripts must be contained in static resources for security analysis - The security properties of the application must be fully analyzable from the source code **Content Security and Data Handling:** - Use a strict Content Security Policy (CSP) to prevent unauthorized scripts or content from being loaded within the iframe - Ensure the external web application is served over HTTPS to maintain secure communication - Sanitize and encode any user-controlled data to prevent vulnerabilities like cross-site scripting (XSS) - Avoid binding user-controlled data to unsafe attributes without proper sanitization - Use secure filters or custom renderers to sanitize user-controlled data **Security Controls and Protection:** - Apply the `sandbox` attribute on the iframe to restrict its capabilities, only allowing necessary permissions - Use proper sandboxing for the iframe to restrict its access to the parent page - Implement clickjacking protection by setting the `X-Frame-Options` header to `SAMEORIGIN` or `DENY` - Load content only from specific, trusted domains to minimize exposure to malicious content - Avoid sharing sensitive information (e.g., session IDs) with the external application **Authentication and Communication:** - Use secure authentication mechanisms like OAuth or Connected Apps instead of session sharing - Ensure secure communication between the iframe and parent component - For Service Cloud Voice widgets, keep Lightning Message Service (LMS) channels private to the package - Avoid exposing global attributes or methods that could be misused **Static Resources and Code Management:** - Store JavaScript code, including React applications, in Salesforce static resources instead of dynamically loading from external domains - Host CSS or other assets in static resources, or include integrity checks if loading dynamically - Avoid dynamically loading JavaScript or CSS from third-party endpoints - Document and review all API callouts during the security review process **LockerService and API Compliance:** - Enable LockerService for Lightning Web Components by using API version 40.0 or higher - Ensure Lightning apps are written for API version 40 or later to leverage LockerService **Testing and Documentation:** - Regularly review and test the integration for vulnerabilities like XSS and clickjacking - Document any false positives related to iframe usage in security review submissions - Test the entire solution, including iframe functionality, using both manual and automated security tools **Specific Implementation Guidelines:** - If direct embedding isn't feasible, consider hosting the external app externally and embedding via iframe - Ensure the iframe is not associated with the Salesforce domain to maintain security - Validate and sanitize all parameters passed to the iframe to prevent injection attacks - Protect sensitive data and avoid exposing it within the iframe Note: Using an iframe within a Lightning Component to display an external website is not approved due to security boundaries, and iframeloader packages are explicitly disallowed.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
AvoidCreateElementScriptLinkTagLoadJavaScriptHtmlScriptLoadJavaScriptIncludeScriptLoadCSSLinkHrefLoadCSSApexStylesheetAvoidAuraWithLockerDisabledApexXSSFromEscapeFalseApexXSSFromURLParamAvoidUnescapedHtmlInAura@lwc/lwc/no-inner-htmlAvoidLmcIsExposedTrueAvoidHardCodedCredentialsInAuraAvoidApiSessionIdAvoidUnauthorizedApiSessionIdInApexAvoidUnauthorizedGetSessionIdInApex
Question
What are the security requirements and best practices for using iframes in Salesforce applications?
Recommended Answer Update
Using iframes in Salesforce applications requires adherence to strict security requirements and best practices: **General Security Requirements:** - The application hosted within the iframe falls under the scope of the security review - Ensure iframe content adheres to security guidelines and doesn't introduce vulnerabilities - All scripts must be contained in static resources for security analysis - The security properties of the application must be fully analyzable from the source code **Content Security and Data Handling:** - Use a strict Content Security Policy (CSP) to prevent unauthorized scripts or content from being loaded within the iframe - Ensure the external web application is served over HTTPS to maintain secure communication - Sanitize and encode any user-controlled data to prevent vulnerabilities like cross-site scripting (XSS) - Avoid binding user-controlled data to unsafe attributes without proper sanitization - Use secure filters or custom renderers to sanitize user-controlled data **Security Controls and Protection:** - Apply the `sandbox` attribute on the iframe to restrict its capabilities, only allowing necessary permissions - Use proper sandboxing for the iframe to restrict its access to the parent page - Implement clickjacking protection by setting the `X-Frame-Options` header to `SAMEORIGIN` or `DENY` - Load content only from specific, trusted domains to minimize exposure to malicious content - Avoid sharing sensitive information (e.g., session IDs) with the external application **Authentication and Communication:** - Use secure authentication mechanisms like OAuth or Connected Apps instead of session sharing - Ensure secure communication between the iframe and parent component - For Service Cloud Voice widgets, keep Lightning Message Service (LMS) channels private to the package - Avoid exposing global attributes or methods that could be misused **Static Resources and Code Management:** - Store JavaScript code, including React applications, in Salesforce static resources instead of dynamically loading from external domains - Host CSS or other assets in static resources, or include integrity checks if loading dynamically - Avoid dynamically loading JavaScript or CSS from third-party endpoints - Document and review all API callouts during the security review process **LockerService and API Compliance:** - Enable LockerService for Lightning Web Components by using API version 40.0 or higher - Ensure Lightning apps are written for API version 40 or later to leverage LockerService **Testing and Documentation:** - Regularly review and test the integration for vulnerabilities like XSS and clickjacking - Document any false positives related to iframe usage in security review submissions - Test the entire solution, including iframe functionality, using both manual and automated security tools **Specific Implementation Guidelines:** - If direct embedding isn't feasible, consider hosting the external app externally and embedding via iframe - Ensure the iframe isn't associated with the Salesforce domain to maintain security - Validate and sanitize all parameters passed to the iframe to prevent injection attacks - Protect sensitive data and avoid exposing it within the iframe Note: Using an iframe within a Lightning Component to display an external website isn't approved due to security boundaries, and iframeloader packages are explicitly disallowed.
Reasoning
The FAQ content is comprehensive and accurate. I made minor grammatical improvements for clarity and consistency without changing the content or structure. Specifically, I changed "will fall" to "falls", "does not introduce" to "doesn't introduce", "is not approved" to "isn't approved", and "is not associated" to "isn't associated" to maintain a more conversational tone as per the style guidelines. All technical content remains accurate and no outdated information was found. The security rules I selected directly relate to the iframe security content discussed in this FAQ: - **AvoidCreateElementScriptLinkTag**: Relates to the FAQ's guidance about avoiding dynamic creation of script/link elements in iframe content - **LoadJavaScriptHtmlScript & LoadJavaScriptIncludeScript**: Directly relates to the FAQ's recommendations about storing JavaScript in static resources instead of loading dynamically - **LoadCSSLinkHref & LoadCSSApexStylesheet**: Relates to the FAQ's guidance about hosting CSS in static resources rather than loading dynamically - **AvoidAuraWithLockerDisabled**: Connects to the FAQ's section on "LockerService and API Compliance" and enabling LockerService - **ApexXSSFromEscapeFalse, ApexXSSFromURLParam, AvoidUnescapedHtmlInAura, @lwc/lwc/no-inner-html**: All relate to the FAQ's extensive coverage of XSS prevention and data sanitization in iframe contexts - **AvoidLmcIsExposedTrue**: Relates to the FAQ's guidance about keeping Lightning Message Service channels private - **AvoidHardCodedCredentialsInAura**: Connects to the FAQ's recommendations about secure authentication mechanisms - **AvoidApiSessionId, AvoidUnauthorizedApiSessionIdInApex, AvoidUnauthorizedGetSessionIdInApex**: All relate to the FAQ's guidance about avoiding sharing sensitive information like session IDs with external applications
Reasoning References