Issue
Recently I have been involved in website go-live. Testers have been complaining that they were not able to see website in Smartedit built-in iFrame.
Looking at the console we realised that recently jsapps endpoints started to send one HTTP Header:
X-Frame-Options: denyThat is probably a consequence of SAP internal security auditOWASP Secure HeadersX-Frame-Options.
At SAP Help you can find an articleAdding HTTP CSP Frame-Ancestors. You willNOT find explanation how to do that.
Solution
Fortunately there is possibility to add in-the-runtime HTTP Response Headers in Cloud Portal in sub-pageSecurity ->HTTP Response Header Sets.
SAP Help has one section about it here:HTTP Response Header Sets.
UnfortunatelyX-Frame-Options: deny is a default value and it is not possible to remove from system... but fortunately you can unset it in Cloud Portal.
My configuration for Smartedit contains two entries:
- setting
Content-Security-Policywith wildcard to allow any request from Commerce Cloud. - unsetting
X-Frame-Optionsto make it finally working, as it is replaced by CSP (more info onMDN XFO
Top comments(1)
For further actions, you may consider blocking this person and/orreporting abuse
