Recently I have been involved in website go-live. Testers have been complaining that they were not able to see website in Smartedit built-in iFrame.
Looking at the console we realised that recently jsapps endpoints started to send one HTTP Header:
At SAP Help you can find an article Adding HTTP CSP Frame-Ancestors. You will NOT find explanation how to do that.
Fortunately there is possibility to add in-the-runtime HTTP Response Headers in Cloud Portal in sub-page
HTTP Response Header Sets.
SAP Help has one section about it here: HTTP Response Header Sets.
X-Frame-Options: deny is a default value and it is not possible to remove from system... but fortunately you can unset it in Cloud Portal.
My configuration for Smartedit contains two entries:
Content-Security-Policywith wildcard to allow any request from Commerce Cloud.
X-Frame-Optionsto make it finally working, as it is replaced by CSP (more info on MDN XFO