Issue
When I edit a receipt template, the content shows an unhappy face.
In Chrome's developer tools, the following error appears:
Refused to frame 'https://[DomainName]--[SandboxName]--dryad.sandbox.vf.force.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' ".
Reason
This is a common Content Security Policy (CSP) issue in Salesforce when embedding Visualforce pages in LWCs across different domains.
The problem occurs because sandboxes often have different domain configurations than others.
Solution
There are two options.
Option 1: Disable Clickjack Protection
- Go to Setup > Session Settings
- In the section "Clickjack Protection", set "Enable clickjack protection for customer Visualforce pages with headers disabled" to False
Option 2: Configure Trusted Domains for Inline Frames
If disabling Clickjack Protection isn't desirable or doesn't resolve the issue, you need to explicitly tell the sandbox that its own domains are safe for framing.
- Go to Setup > Session Settings
- In the section "Trusted Domains", click "Add Domain"
- Add the following domain
- In Production : https://[domainName].lightning.force.com
- In Sandbox: https://[DomainName]--[SandboxName].sandbox.lightning.force.com
- Set the IFrame Type to "Visualforce Pages"
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article