frame-options is used to prevent security vulnerabilities like clickjacking. With the frame-options configuration you define whether SAPUI5 is allowed to run embedded in a frame or only from trusted origins or not at all.
SAPUI5 provides the following configuration options for frame-options:
|
Mode |
Default |
Description |
|---|---|---|
|
allow |
X |
Allows to be embedded from all origins |
|
deny |
Denies to be embedded from all origins |
|
|
trusted |
Allows to be embedded from trusted origins according to the same-origin policy and to be embedded to origins allowed by the allowlist service |
With frame-options-config the following additional configuration options can be set:
|
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
|
|
Function that is called with the success state
|
|
|
|
|
|
After the delay, the page remains blocked and the provided callback is invoked (milliseconds) |
|
|
|
|
Defines whether keyboard, mouse and touch events are blocked |
|
|
|
|
Defines whether an invisible block layer is rendered to prevent interaction with the UI |
|
|
|
|
Defines whether same origin domains are allowed or not |
|
|
|
Contains the domain allowlist, for example |
The
frame-options-configcannot be set via URL. Wildcards are not supported.
If the application is not intended to run in a frame, set frame-options to deny:
<script id='sap-ui-bootstrap'
src='resources/sap-ui-core.js'
data-sap-ui-frame-options='deny'>
</script>To restrict the embedding to same-origin domains, set frame-options to trusted. The callback in the following code sample is called with a boolean as success state and can be used to implement an application-specific behavior.
<script>
globalThis["sap-ui-config"] = {
"frame-options": "trusted",
"frame-options-config": {
callback: function(bSuccess) {
if (bSuccess) {
alert("App is allowed to run!");
} else {
alert("App is not allowed to run!");
}
}
}
};
</script>
<script id='sap-ui-bootstrap'
src='resources/sap-ui-core.js'>
</script>To allow that the SAPUI5 application is embedded in cross-origin domains, configure an allowlist service. The allowlist service checks whether the application can run in the parent origin, or not.
<script>
globalThis["sap-ui-config"] = {
"allowlist-service": "url/to/allowlist/service",
"frame-options": "trusted",
"frame-options-config": {
callback: function(bSuccess) {
if (bSuccess) {
alert("App is allowed to run!");
} else {
alert("App is not allowed to run!");
}
}
}
};
</script>
<script id='sap-ui-bootstrap'
src='resources/sap-ui-core.js'>
</script>Alternatively, a <meta> tag can be used to configure the sap-allowlist-service and set the sap-ui-frame-options to trusted. This only applies if the allowlist-service or frame-options configuration is not set otherwise according to the Configuration of the SAPUI5 Runtime.
<meta name="sap-allowlist-service" content="url/to/allowlist/service" />
<script id='sap-ui-bootstrap'
src='resources/sap-ui-core.js'>
</script>Related Information