It’s a good idea to isolate static resources downloaded from an untrusted source. You can use an iframe to separate third-party content from your Visualforce page to provide an extra layer of security and help you protect your assets.
To reference a static HTML file on a separate domain, use $IFrameResource.<resource_name> as a merge field, where resource_name is the name you specified when you uploaded the resource. For example:
<apex:iframe src="{!$IFrameResource.TestHtml}" id ="theiframe" width="500" height="500"/>
The iframe tag injects JavaScript into both the parent document and the child iframe to establish a secure communication between the two elements. The parent document can have multiple iframes. Each uniquely named static resource lives in its own subdomain of forceusercontent.com.
Access to an iframe is not authenticated, so any third-party content it contains can’t access a user’s session ID.
You can write JavaScript code in the parent document to communicate with the iframe.
SfdcApp.iframe.sendMessage('theiframe', { key1: value1, key2: value2 });
SfdcApp.iframe.addMessageHandler('theiframe', function(data) { if(data.key1) { … } });
SfdcApp.iframe.addErrorHandler('theiframe', function(error) { console.log(error); });
You can also communicate the other way from the iframe document.
LCC.onlineSupport.sendMessage('containerUserMessage', { key1: value1, key2: value2 });
LCC.onlineSupport.addMessageHandler(function(message) { if(data.key1) { … } });
To remove this handler:
LCC.onlineSupport.removeMessageHandler(function)
LCC.onlineSupport.addMessageErrorHandler(function(message) { if(data.key1) { … } });
To remove this handler:
LCC.onlineSupport.removeMessageErrorHandler(function)
LCC.onlineSupport.addErrorHandler(function(message) { if(data.key1) { … } });
To remove this handler:
LCC.onlineSupport.removeErrorHandler(function)