TransWikia.com

Hide iframe url

Salesforce Asked by cloudy-ritz on February 8, 2021

I am using a visualforce page and adding an apex tag:

<apex:page standardController="account"> 
  <apex:iframe src="a.com/embed/preview/f?theme=dark fullscreen" width="100%" height="800px" frameborder="0" scrolling="NO"/> 
</apex:page

I am trying to hide the URL from the visualforce page , Is it possible using standard functionality.

apexsqlservervisualforcevisualforce component

One Answer

Option 1: URL Shortener

If hiding the apex:iframe URL from the resulting iframe in the client-side source code is sufficient, then you can use the Bitly URL Shortener service to obfuscate the URL.

If the original URL is hosted on Salesforce.com, the resulting short URL will automatically use sforce.co:

https://sforce.co/XXXXXXX

If the original URL is not hosted on Salesforce.com, the resulting short URL will likely use bit.ly:

https://bit.ly/XXXXXXX

The problem with using this method is that, while the URL may be hidden in the client-side source code, in most browsers, a user can fairly easily open iframe content in a new window or tab (displaying the destination URL in the address bar).

Alternatively, a user may be able to monitor the network and view the resulting Location response header from the request to determine where the page has been redirected to, without having to leave the Visualforce page at all.

Option 2: External Proxy

A better way to hide the URL would be to run the target web page and all of its resources through a proxy on an external server and obfuscate the URL as part of the proxy service.

There are many web proxy sites like this that exist, but many of them come with an undesirable toolbar embedded in the destination web page to allow navigation to another site, or they are very slow, or they cause the sites to malfunction, or they are flatly rejected by Salesforce Content Security Policy:

Refused to display 'https://www.hidemyass-freeproxy.com/proxy/en-ww/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://www.hidemyass.com".

Conclusion:

The user experience will most likely be a better one (in many different ways) if you exercise transparency, and leave the iframe URL unobscured.

If you must attempt to hide the origin of the content, consider using an external proxy to obfuscate the URL and its content, but know that this method is not bulletproof in the sense of privacy, and the origin of the web page can likely be determined by certain users in certain situations.

You must determine if the cost in user experience is worth the benefit in obscurity.

Answered by Grant Miller on February 8, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP