This is quick highlights of winter 19 visualforce improvements.
1.New Visualforce Access Metrics Fields
Use the new ProfileId and LogDate access metrics fields to prioritize which Visualforce pages to migrate to Lightning Experience. To decide which Visualforce pages to migrate to Lightning Experience, it’s helpful to know which pages are used most often and by whom. These new Visualforce Access Metrics fields show you that information. The ProfileId field shows the Salesforce profile ID of the user who viewed the Visualforce page. The LogDate field shows the
date that the user accessed the page. This field provides more insight into page usage than the MetricsDate field, which represents the date the metrics are collected. To query metrics on the Visualforce pages in your org, use the VisualforceAccessMetrics object and include the ProfileId and
Select Id ,ProfileId, MetricsDate ,LogDate from VisualforceAccessMetrics
2. Securely Retrieve and Display Third-Party Images
Protect your users from unauthorized requests by using the IMAGEPROXYURL function to securely fetch images outside your org’s server. Loading a third-party image can initiate a malicious authentication request meant to steal Salesforce usernames and passwords. This Visualforce function loads external images over HTTPS and prevents images from requesting user credentials. To securely retrieve an external image, include the IMAGEPROXYURL function on the src attribute of a tag or the value attribute of an object.
3.URL Redirect Parameters Are No Longer Case-Sensitive
The protected URL parameters used in Visualforce pages—retURL, startURL, cancelURL, and saveURL—are no longer case-sensitive. If you change the parameter value from retURL to returl, the system now recognizes it as a protected parameter. Protected URL parameters allow redirects from Visualforce pages to salesforce.com or *.force.com domains and prevent malicious
redirects to third-party domains.
4.Improve Security by Isolating Untrusted Third-Party Content with iframes
You can now isolate HTML static resources on a separate domain using iframes. Using a separate domain to embed information from untrusted sources protects your Visualforce content.To reference a static HTML file on a separate domain, use $IFrameResource.<resource_name> as a merge field, where resource_name is the name you specified when you uploaded the static resource