DEV Community

Pawel Wolanski
Pawel Wolanski

Posted on

SAP Commerce Cloud and Broken Smart Edit


Recently I have been involved in website go-live. Testers have been complaining that they were not able to see website in Smartedit built-in iFrame.

Image description

Looking at the console we realised that recently jsapps endpoints started to send one HTTP Header:

X-Frame-Options: deny
Enter fullscreen mode Exit fullscreen mode

That is probably a consequence of SAP internal security audit OWASP Secure Headers X-Frame-Options.

At SAP Help you can find an article Adding HTTP CSP Frame-Ancestors. You will NOT find explanation how to do that.


Fortunately there is possibility to add in-the-runtime HTTP Response Headers in Cloud Portal in sub-page Security -> HTTP Response Header Sets.

SAP Help has one section about it here: HTTP Response Header Sets.

Unfortunately X-Frame-Options: deny is a default value and it is not possible to remove from system... but fortunately you can unset it in Cloud Portal.

My configuration for Smartedit contains two entries:

  • setting Content-Security-Policy with wildcard to allow any request from Commerce Cloud.
  • unsetting X-Frame-Options to make it finally working, as it is replaced by CSP (more info on MDN XFO

Image description

Top comments (1)

vvillalobos2022 profile image

Thank this really help, this error came from nowhere one day to another without changing code neither configuration and we were starting to wonder if had to do with SAP.