Safari support for iframing a visualforce page

Background: I have an API I wish to use from within my managed package which occasionally results in long running callouts. In order to ensure my users don’t encounter errors with the limits to long running apex callouts I’ve attempted to implement a lightning component which embeds a visualforce page which uses continuations, as documented in this blog: Invoking Apex Continuations from Lightning Components.

Apart from some messing about to work out how to dynamically generate the correct visualforce and lightning URLs from within the package so that the postMessage is sent securely, this all seemed to work well until tested with Safari.

Problem If the Safari user has already accessed a visualforce page from within the package when they navigate to the component then all works fine, but if they haven’t then the iframed VF page fails to load. The iframe ends up on a page /visualforce/recsession with a javascript error “The string did not match the expected pattern” (the javascript is inspecting the URL params and failing on one missing). It could be that this is Salesforce trying to notify the parent window that the login failed, but I’ve not understood the logic well enough to try an justify this as a bug, and because Safari dev tools doesn’t log the previous requests when they are redirected by 302s I’m struggling to debug it.

As I understand the problem is because Salesforce serves managed visualforce pages from a specific domain for each namespace, and unlike the content domain, the user is not bounced through each namespaced visualforce domain at login to ensure the session is created. Salesforce seems to have some functionality which somehow logs the user into the domain in certain scenarios (e.g. visualforce iframed in a tab in Lightning Experience), but it appears not to work for this scenario.

I think this is because Safari implements a security model seemingly unlike other browsers, which prevents cookies being set from a hostname which a user has not previously visited in a full window, described here Safari iframe cookie workaround (and seemingly if not visited recently Safari’s new anti-tracking feature).

Alternatives I thought about resolving this by opening a new full window (or redirecting through a page and back) containing another packaged visualforce page to ensure the user is logged in. But I can’t work out how to reliably detect that the login has failed (as opposed to still being in progress). I can’t inspect the current location of the iframe, as it’s on a different hostname from my lightning component, so I’m left with creating a postMessage in the VF page to inform the lightning component that it’s loaded correctly, and then setting a timeout in the lightning component that after a certain time triggers the reload. This feels flaky, and could result in a poor user experience for my customers. I also need to check how this might work in the Salesforce1 app which appears to have the same problem.

Should I expect Salesforce to be able to login the iframe (is this a bug)? It seems to do it successfully from other contexts. If not, what alternative mechanism might be able to ensure my users can load the iframe reliably?


Source : Link , Question Author : James , Answer Author : Community

Leave a Comment