SAP Knowledge Base Article - Preview

2542903 - Support of the X-Frame-Options Header ALLOW-FROM property


  • You have an application or resource which will set the X-Frame-Options header as recommended to prevent Clickjacking attacks
  • You have configured the application/web server to include the ALLOW-FROM parameter, which will include the Enterprise Portal domain. Your header is now sent as:
    X-Frame-Options: ALLOW-FROM
  • In some browsers, such as Google Chrome the application or resource will still refuse to render inside of an iframe



  • SAP NetWeaver Release independent


SAP NetWeaver all versions


x, frame, options, clickjacking, click, jacking, click-jacking, iframe, iframes, frames, frame, allow, from, allowlist, exclude, portal, fiori, server, webkit, web kit, safari, firefox, ie, edge, internet, explorer, microsoft, apple, google, opera, mozilla, android, ios , KBA , whitelist , EP-PIN-AI , Application Integration , CA-UI2-INT-BE , Please use CA-FLP-ABA , EP-PIN-NAV-FFP , Fiori Framework Page , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.