End of javascript sidebar workarounds? (Salesforce Classic / Aloha)
ALERT UPDATE (Spring'16)
These workarounds were never supported by Salesforce officially. They have worked for many years but now the are no longer possible with the Spring'16 Update. It was announced by Salesforce in 2015 that even the workarounds described in the section below for Winter'16 are shut down with the Spring'16 Release, in February 2016. I verified it on different pods and can confirm it's over. Here are the details:
What is changing?
The Salesforce Technology team is updating code within the standard Messages & Alerts and Custom Links home page components, including JavaScript and custom HTML markup to comply with our evolving security architecture best practices. These changes will enhance the security of your organization.
End of Sidebar workarounds via Messages & Alerts and Custom Links finally in Winter or Spring '16? It's pretty clear and it looks like we have an end-date now.
The new Lightning Experience UI is still evolving. The Lightning Experience UI will probably make a lot of use cases for these workaround obsolete. At this time (2015-10) the new UI is not really feature complete. With the Spring '16 Release it's likely that many features required by typical customers might be there. However in my opinion it won't be possible to migrate all Orgs in 2016-02 on the Lightning Experience UI.
Unfortunately most (or all) of the limitations of the Aloha UI we found reasonable for considering those workarounds are still present.
So the decision to shut down the workarounds at this time can create some extra effort only for an intermediate time until most Orgs can migrate completely to Lightning Experience. It would have been nice, if Salesforce could allow us a little bit more "grace time" for those Orgs, e.g. in form of an critical update or in form of switching that "security improvement" off for one or two releases...
MODIFICATION UPDATE (Winter'16)
Here you can find a way which worked until Spring'16: Requirescript change in Winter '16 release
ORIGINAL POST (Summer'14 to Summer'15 )
At least up to Summer'15 there is a solution without HTML-Areas.
What does NOT work anymore:
New HTML-Areas are useless in Summer'14! Careful with existing HTML-Areas: you save it, you loose it in Summer'14. They get crippled!
It does not work in Winter'16 anymore! It had worked in Summer'14, Winter'15, Spring'15 and Summer'15. For Winter'16 you need this instead and with Spring'16 it looks like an end...
- create a StaticResouce "YourStaticResourceName" upload a JS file containing whatever you need (e.g. jquery) and add a command in the end, like console.log('bingo!');
- go to Setup > Home > Custom Links
- create a new link call it "injection"
- Behaviour = "Execute JavaScript"
- Content Source = "Onclick JavaScript" (don't get irritated, you won't have to click!)
- at the body enter {!REQUIRESCRIPT("/resource/1402932484000/YourStaticResourceName")}
- go to Setup > Home > Home Page Components
- create a new one
- call it "injection-box"
- pick type "Links" (instead of HTML-Area we used before)
- click next
- pick "injection" we created above
- save it
- got to Setup > Home > Home Page Layouts
- add "injection-box" to your layout
- go to anywhere it worked before and check for 'bingo!' in your console. See that 'YourStaticResourceName' is successfully injected to the standard pages :-)
This pattern works in a slightly modified version also for communities: Are sidebar Javascript workarounds also possible for partner portals / communities?
And finally it seems to be even officially supported, look at this: http://help.salesforce.com/HTViewHelpDoc?id=customize_functions_i_z.htm#REQUIRESCRIPT
Here you'll find a knowledge article about what is changing for HTML-Areas and a bit on "why" they do it: https://help.salesforce.com/apex/HTViewSolution?urlname=Home-Page-Components-Changes-Starting-Summer-14&language=en_US
Here you can find and contribute use-cases and possible alternatives for this pattern: Why do we still need to hack the Sidebar? Usecases - Workarounds - Alternatives
Hey guys let's join forces and somehow reach out together to Salesforce and explain to them as a group how important it is to keep the UI open.
Uwe
The policy announcement is very clear:
In Summer ’15 we will start removing unsupported code from HTML Area home page components. As a result, components that contain JavaScript, CSS, iframes, or other unsupported markup might stop working properly. To use JavaScript or other advanced HTML elements in your home page component, we recommend that you use a Visualforce Area component instead.
Note that it says "we will start removing unsupported code from HTML Area home page components".
Do not risk wasting your dev time finding some mechanism to inject third party javascript which has not yet been removed and assume that it will never be removed.
Take the policy at face value and assume that all mechanisms that allow third party javascript to be injected into the saleforce homepage will be removed at some point.
As to the reason for this policy, it's pretty clear why having a separate namespace and security domain between salesforce.com javascript code and third party javascript code reduces conflicts and makes it easier for all sides to properly test and secure their code.
Other answers have a pretty good overview of the current workarounds within Salesforce and the reasons for this change (security).
However, one possible workaround feasible for controlled internal environments, would be to write a browser extension to handle this. For example, it's pretty trivial to write a Chrome extension that executes JavaScript on a given set of pages. Then, with managed deployment, this extension could easily be deployed to an entire organization as long as your use case is internal. Of course you could probably do the same with other browsers as well.
The main challenge is that we can't get JavaScript onto the main Salesforce page so we can't modify the height of the iframe. Writing this logic in an extension solves this challenge.
Of course this is somewhat of a last resort solution, but the great part is that you're not counting on ticking timebomb of using any hacks that are on their way to not working forever.