Issue
Recently I have been involved in website go-live. Testers have been complaining that they were not able to see website in Smartedit built-in iFrame.
Looking at the console we realised that recently jsapps endpoints started to send one HTTP Header:
X-Frame-Options: deny
That is probably a consequence of SAP internal security audit OWASP Secure Headers X-Frame-Options.
At SAP Help you can find an article Adding HTTP CSP Frame-Ancestors. You will NOT find explanation how to do that.
Solution
Fortunately there is possibility to add in-the-runtime HTTP Response Headers in Cloud Portal in sub-page Security
-> HTTP Response Header Sets
.
SAP Help has one section about it here: HTTP Response Header Sets.
Unfortunately X-Frame-Options: deny
is a default value and it is not possible to remove from system... but fortunately you can unset it in Cloud Portal.
My configuration for Smartedit contains two entries:
- setting
Content-Security-Policy
with wildcard to allow any request from Commerce Cloud. -
unsetting
X-Frame-Options
to make it finally working, as it is replaced by CSP (more info on MDN XFO
Top comments (1)
Thank this really help, this error came from nowhere one day to another without changing code neither configuration and we were starting to wonder if had to do with SAP.