After a runtime filter is selected on running a report on Microsoft Edge the following error appears:
"This content can't be shown in a frame"
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
- SAP SuccessFactors HCM Suite
- Report Canvas
There is a compatibility issue with Microsoft Edge and the WFA framework (Report Canvas is a tool from WFA) . The defect in Edge, strips the content WFA uses to evaluate how 'X-Frame-Options' and 'Content-Security-Policy' headers are set. So, missing content causes incorrectly setting 'SAMEORIGIN' value for iFrames - where as the expected behavior is having ALLOW-FROM parent origin as in set correctly other browsers- Eventually, iFrame becomes more restricted than necessary and blocking user to render the content.
Shortly, a defect in Edge when combined with security logic top prevent ClikJacking results a complete blockage.
There are two options to adress this behavior:
- Either use other browsers like Internet Explorer, Firefox, Chrome, but not Edge until this problem is addressed.
- Or you can disable ClickJacking until Edge issue gets resolved, referring to risk assessment provided by security engineering.
Disabling the protection is one of the option. You can calculate the CVSS score for Clickjacking vulnerability in the website Security Evaluation; The score is 6.1 which is a medium issue. The CVSS is the common risk rating system we used to communicate internal as well as external.
Report center - Edge - Runtime filter - This content can't be shown in a frame , KBA , LOD-SF-ANA-ORD , Online Report Designer , LOD-SF-ANA-ODS , Advanced Reporting (ODS) , Problem