Thursday, September 3, 2020

Disable X-FRAME-OPTIONS in SCP Portal Cloud Foundry

During project for customer I developed the standalone Fiori application. Because that project is hosted on SAP SCP multi cloud - in other words on Cloud Foundry platform - I wrapped that Fiori application to multi target application (MTA) as a HTML5 module and added approuter so I can access that application from html repository.

Next step was to add that application to a portal service (also on that same subaccout). I managed to do this pretty easily, but when I launched that app from its tile - nothing happend. Or more accurately - application launched but there was only message that webpage refused connection.


If you would open developer tools on chrome (right click and then Inspect], you will see red message

that the link was refused to display because there is X-Frame-Options set to SAMEORIGIN. 

You can find more on that option here but in short - is is security directive in http header, which prevents ClickJacking attack. This is done in a way, that page prevents to be included itself in iFrame of other page.

But in case of portal - this is exactly what we want to do. Portal page opens our application in iFrame. And because application dont want to be included - we see that error.

In order to resolve this we have 2 options>
  1. In portal, you can set, that application will open in new tab instead of inside of portal page
  2. convince app router application to not include that security option into http header. This can be done in SCP cockpit. You need to go to your subaccount and space where you have your application deployed. On the left side in menu Applications find you app router. Click on its name  and this will get you to its configuration. There you have User-Provided Variables. There you have to add new variable named 

SEND_XFRAMEOPTIONS = false
After that you have to restart the app router application so the new variable will take effect. You can do that on Overview page in the left menu.
Then go to the portal, reload page and you should see the application up and running. Sometimes it is necessary also reload whole portal site.

Addition:

You can also set that environment variable automatically during the deployment proces.
Just add it as a property to the app routers part of mta.yaml.

modules:
  - namemy-approuter
    typeapprouter.nodejs
    pathmy-approuter
    properties:
      SEND_XFRAMEOPTIONSfalse    <-------- this property
    parameters:
      disk-quota256M
      memory256M
    requires:
      - namemy_html_repo_runtime
      - nameuaa
      - namedestination
      - nameconnectivity
at

2 comments:

  1. Vinoth30 November, 2020 00:40

    Hi, Thanks for this. I developed MTA application but if i run the application from second time onwards, $metadata is not loaded and the application hangs. Do you have any solution fr this. Thanks

    ReplyDelete
  2. MSME- Business Services, Report Business Credit Defaulters07 April, 2022 09:27

    The payment settlement process is the process between the defaulter and the merchant. Once the settlement has been done, the defaulter ratings will not decrease further. CreditQ offers the list of business credit defaulters for people, added by the member merchants. As settlement depends on both parties, we can help you to maintain and track the settlement process.

    ReplyDelete