Navigating Lightning Web Security (LWS) Restrictions with Iframes (CORS)

With the Salesforce Spring ‘25 release, new Lightning Web Security (LWS) restrictions are causing headaches for developers who use iframes in their applications. If you’ve encountered the dreaded error:

Access to XMLHttpRequest at 'https://m.stripe.com/6' from origin 'null' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://m.stripe.network' that is not equal to the supplied origin. POST https://m.stripe.com/6 net::ERR_FAILED 200 (OK)

You’re not alone. This issue isn’t just Stripe-specific - it can occur with any iframe-based integration under the new LWS rules. Let’s break down what’s happening and how to adapt.

What Changed in Spring ‘25?

According to the Salesforce release notes:

  • Previously, LWS allowed access to iframe elements if they shared the same origin as the parent page.
  • Now, all iframes with an explicit src attribute are subject to cross-origin restrictions, even if their source matches the parent page’s origin.

Implications:

  • Direct access to window.parent or window.top from an iframe is blocked.
  • Scripts that rely on these properties will fail unless reworked.

Common Scenarios Impacted

Stripe and Payment Gateways

Many payment integrations, like Stripe, use iframes to securely display forms. Under LWS, cross-origin communication between the parent page and iframe now requires window.postMessage() instead of direct references.

Embedded Forms or Static Resources

Static HTML loaded in iframes that include scripts accessing parent or top will fail.

Best Practices for iFrame Communication

Here’s how you can work around these restrictions:

1. Use window.postMessage() for Communication

  • What it Does: Allows secure communication between the host page and iframe by passing messages between them.
  • How to Use:
    • The iframe listens for incoming message events.
    • The parent page posts messages using postMessage().

2. Capture event.source and event.origin

  • Store these references when an iframe receives a message. Use them for any responses back to the parent.
  • This avoids direct references to parent, which are blocked.

3. Validate the Sender’s Origin

  • Always check the event.origin against a whitelist of trusted origins (e.g., your domain, third-party services like https://js.stripe.com).

Example Use Case

For a payment gateway like Stripe:

  • The iframe receives an initialization message from the parent.
  • The parent includes data (like transaction details) in the message.
  • The iframe responds using postMessage() to the captured event.source.

This approach ensures secure, cross-origin communication while adhering to LWS restrictions.

Key Takeaways

  1. Adapt Your Code: Replace direct iframe interactions (e.g., parent.postMessage()) with window.postMessage() and event handling.
  2. Validate Everything: Always confirm the source of incoming messages to prevent unauthorized access.
  3. Stay Informed: Check Salesforce release notes for the latest changes, like the Spring ‘25 iframe restrictions.

By following these practices, you can future-proof your iframe-based integrations and maintain functionality under LWS.

Have you faced similar challenges with iframe restrictions? Share your solutions or questions in the comments below!

Comments

Post a Comment

Popular posts from this blog

From JDK to ICU Locale Formats: Adapting Salesforce Applications for the Next Generation of Formatting

Salesforce is significantly changing its underlying date, time, and number formatting engines. With the Summer ’25 release , Salesforce will move from JDK (Java Development Kit) formatting to ICU (International Components for Unicode) formatting. While this might seem like a minor internal tweak, it can have wide-reaching implications on how your org’s custom logic, UI components, and integrations display and interpret locale-sensitive information. In this post, we’ll explore: The key differences between JDK and ICU formatting The potential impact on ISV (Independent Software Vendor) applications Concrete examples of how to adapt and migrate your code—ranging from Apex and Lightning Web Components (LWC) to triggers and Flows Why the Change? ICU is an industry-standard library for internationalization. It provides more accurate, consistent, and up-to-date locale data and formatting patterns across languages, countries, and regions. By standardizing on ICU, Salesforce ensures that: You h...
Read more

Building Stronger Relationships with Stakeholder Management in Nonprofit Cloud

Salesforce Nonprofit Cloud provides a robust and flexible platform for managing your programs, fundraising efforts, and crucial relationships, which drive your mission forward.  Stakeholder Management is a key aspect of this ecosystem, which allows nonprofits to better identify, engage, and nurture the diverse group of individuals and organizations that shape their mission. In this post, we’ll explore Stakeholder Management within the Nonprofit Cloud, drawing on insights from the Trailhead Module  and providing practical guidance on migrating from NPSP (Nonprofit Success Pack) to the new Nonprofit Cloud. What Is Stakeholder Management in Nonprofit Cloud? In the nonprofit sector, stakeholders can encompass a broad range of individuals and entities - funders, community partners, volunteers, beneficiaries, staff members, and even the broader public. Effective Stakeholder Management involves systematically identifying these groups, understanding their interests and influence, and...
Read more