Why do I see a Visualforce error when running a custom merge button in Salesforce, and how can it be resolved?

A Visualforce error can occur when running a custom merge button if Salesforce blocks the page from loading inside an iframe due to Clickjack Protection settings. This commonly happens in Lightning Experience when the domain hosting the Visualforce page is not listed as a trusted iframe domain.

Salesforce enforces strict security controls that prevent Visualforce pages from being embedded unless their parent Lightning domain is explicitly trusted. When this trust is missing, merge buttons that rely on Visualforce may fail with an iframe or security-related error.

To resolve this issue, add the parent Lightning domain (ending in .force.com) to Salesforce’s Trusted Domains for Inline Frames:

1. Go to Setup.
2. In Quick Find, search for Session Settings.
3. Scroll to Trusted Domains for Inline Frames.
4. Click Add Domain.
5. Enter the Lightning domain (for example: https://yourdomain.lightning.force.com or *.force.com).
6. Select the appropriate allowed iFrame type.
7. Save the changes.

Once the Lightning domain is trusted, the Visualforce-based merge button will run correctly without triggering security errors.