Issue

Recently I have been involved in website go-live. Testers have been complaining that they were not able to see website in Smartedit built-in iFrame.

Looking at the console we realised that recently jsapps endpoints started to send one HTTP Header:

X-Frame-Options: deny

That is probably a consequence of SAP internal security audit OWASP Secure Headers X-Frame-Options.

At SAP Help you can find an article Adding HTTP CSP Frame-Ancestors. You will NOT find explanation how to do that.

Solution

Fortunately there is possibility to add in-the-runtime HTTP Response Headers in Cloud Portal in sub-page Security -> HTTP Response Header Sets.

SAP Help has one section about it here: HTTP Response Header Sets.

Unfortunately X-Frame-Options: deny is a default value and it is not possible to remove from system... but fortunately you can unset it in Cloud Portal.

My configuration for Smartedit contains two entries:

• setting Content-Security-Policy with wildcard to allow any request from Commerce Cloud.
• unsetting X-Frame-Options to make it finally working, as it is replaced by CSP (more info on MDN XFO