How to Fix the "Refused to Frame" Content Security Policy Error When Embedding a Salesforce MIAW Bot on an External Site

Refused to frame 'https://domain.sandbox.my.site.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors domain.sandbox.lightning.force.com *.domain.sandbox.lightning.force.com https://domain.sandbox.my.site.com".

This error occurs due to Salesforce’s strict Content Security Policy (CSP) settings, which restrict which domains are allowed to embed its content within an iframe. Specifically, the frame-ancestors directive defines the trusted domains that can frame the Salesforce site, and if your external site’s domain isn’t included, the browser blocks the iframe from loading.

Fortunately, you can resolve this issue by updating the trusted domains in Salesforce. Below is a step-by-step guide to fix the error and successfully embed your MIAW bot on an external site.

Steps to Fix the Error

Follow these instructions within your Salesforce environment to adjust the CSP settings and allow your external site to frame the MIAW bot:

Step 1: Navigate to Sites Setup

From the Salesforce homepage, click on the Setup gear icon in the top-right corner and select Setup.

In the left-hand navigation menu, expand User Interface, then go to Sites and Domains > Sites.

Step 2: Locate Your Site

On the Sites page, you’ll see a list of configured sites in the Site Label column.

Find the site associated with your MIAW bot deployment. It will typically be formatted as <ESW_[deploymentname]_[numbers]>, where [deploymentname] corresponds to your bot’s deployment name and [numbers] are unique identifiers.

Click on the site name to open its configuration settings.

Step 3: Edit Trusted Domains for Inline Frames

Scroll down to the section labeled Trusted Domains for Inline Frames.

In this section, locate the domain or subdomain of your external site that is attempting to embed the MIAW bot (e.g., https://your-external-site.com).

If the domain isn’t listed, click New to add it. If it’s already listed but needs adjustment (e.g., to include subdomains or correct a typo), select it and click Edit.

Enter or update the domain details to match your external site’s URL. Ensure you include the protocol (e.g., https://) and the exact domain or subdomain.

Step 4: Save Your Changes

After adding or editing the trusted domain, click Save to apply the changes.

Salesforce will update the CSP settings, and your external site should now be permitted to frame the MIAW bot content.

Verifying the Fix

Once you’ve saved the changes, return to your external site and refresh the page hosting the embedded MIAW bot. The iframe should now load without the CSP error. If the issue persists, double-check the following:

Ensure the domain you added in Step 3 matches the exact URL of your external site (including protocol and subdomain, if applicable).

Confirm that your browser isn’t caching the old CSP settings by clearing the cache or testing in an incognito window.

Verify that no additional security policies (e.g., browser extensions or server-side configurations) are interfering with the iframe.

Why This Happens

Salesforce enforces CSP to enhance security by preventing unauthorized domains from embedding its content. The frame-ancestors directive specifically controls which parent domains can include Salesforce pages in an iframe. When embedding a MIAW bot, the external site’s domain must be explicitly trusted in Salesforce to comply with this policy.

By following the steps above, you’ll align your setup with Salesforce’s security requirements and enable seamless integration of the MIAW bot on your external site.

Refused to frame 'https://domain.sandbox.my.site.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors domain.sandbox.lightning.force.com *.domain.sandbox.lightning.force.com https://domain.sandbox.my.site.com".

Fortunately, you can resolve this issue by updating the trusted domains in Salesforce. Below is a step-by-step guide to fix the error and successfully embed your MIAW bot on an external site.

Steps to Fix the Error

Follow these instructions within your Salesforce environment to adjust the CSP settings and allow your external site to frame the MIAW bot:

Step 1: Navigate to Sites Setup

From the Salesforce homepage, click on the Setup gear icon in the top-right corner and select Setup.

In the left-hand navigation menu, expand User Interface, then go to Sites and Domains > Sites.

Step 2: Locate Your Site

On the Sites page, you’ll see a list of configured sites in the Site Label column.

Find the site associated with your MIAW bot deployment. It will typically be formatted as <ESW_[deploymentname]_[numbers]>, where [deploymentname] corresponds to your bot’s deployment name and [numbers] are unique identifiers.

Click on the site name to open its configuration settings.

Step 3: Edit Trusted Domains for Inline Frames

Scroll down to the section labeled Trusted Domains for Inline Frames.

In this section, locate the domain or subdomain of your external site that is attempting to embed the MIAW bot (e.g., https://your-external-site.com).

If the domain isn’t listed, click New to add it. If it’s already listed but needs adjustment (e.g., to include subdomains or correct a typo), select it and click Edit.

Enter or update the domain details to match your external site’s URL. Ensure you include the protocol (e.g., https://) and the exact domain or subdomain.

Step 4: Save Your Changes

After adding or editing the trusted domain, click Save to apply the changes.

Salesforce will update the CSP settings, and your external site should now be permitted to frame the MIAW bot content.

Verifying the Fix

Ensure the domain you added in Step 3 matches the exact URL of your external site (including protocol and subdomain, if applicable).

Confirm that your browser isn’t caching the old CSP settings by clearing the cache or testing in an incognito window.

Verify that no additional security policies (e.g., browser extensions or server-side configurations) are interfering with the iframe.

Why This Happens

By following the steps above, you’ll align your setup with Salesforce’s security requirements and enable seamless integration of the MIAW bot on your external site.

How to Fix the "Refused to Frame" Content Security Policy Error When Embedding a Salesforce MIAW Bot on an External Site

Steps to Fix the Error

Step 1: Navigate to Sites Setup

Step 2: Locate Your Site

Step 3: Edit Trusted Domains for Inline Frames

Step 4: Save Your Changes

Verifying the Fix

Why This Happens

I'm a seasoned Salesforce professional with a knack for driving business growth and efficiency. On top of that, I bring a diverse skill set that includes Nextjs, Nodejs, Java, and Salesforce.

How to Fix the "Refused to Frame" Content Security Policy Error When Embedding a Salesforce MIAW Bot on an External Site

Steps to Fix the Error

Step 1: Navigate to Sites Setup

Step 2: Locate Your Site

Step 3: Edit Trusted Domains for Inline Frames

Step 4: Save Your Changes

Verifying the Fix

Why This Happens

I'm a seasoned Salesforce professional with a knack for driving business growth and efficiency. On top of that, I bring a diverse skill set that includes Nextjs, Nodejs, Java, and Salesforce.

More in SF Dev

How to Embed Enhanced Einstein Bot Button to Your Website

How to Pass Pre-Chat Values in Embedded Messaging (Enhanced Bots MIAW)