2169861 - Learning Plan Internet Explorer error "This content cannot be displayed in a frame" or blank page in Chrome or Firefox

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental

When trying to load the Learning Plan in Internet Explorer, it displays the error message "This content cannot be displayed in a frame."

OR

In Chrome or Firefox: the screen shows up blank, just the background image will appear.

SAP SuccessFactors Learning

1. Login to BizX >
2. Select Learning module and make sure Learning Plan loads >
3. Select user name > Admin Tools >
4. Select Learning > Learning Administration (load the LMS admin side) >
5. Allow to finish loading > Top left go back to Bizx side >
6. Select Learning module again

This was a vulnerability that was found on iframes called clickjacking.

SF Engineering created settings to resolve this issue for customers who want to take advantage of it.
Starting in 1502 this was defaulted to true.

This was added by LRN-5096.
System Admin > Configuration > System Configuration > WEB_SECURITY

# Note this feature is still beta in b1411.
# Enable the clickjacking protection using the X-Frame-Options Response Headers
# when enabled will add the X-Frame-Options Header SAMEORIGIN or ALLOW-FROM uri to the response
# see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

clickjackingProtection.enabled=true

You can turn off clickjacking to resolve this issue:
System Admin > Configuration > System Configuration > WEB_SECURITY

# Enable the clickjacking protection using the X-Frame-Options Response Headers
# when enabled will add the X-Frame-Options Header SAMEORIGIN or ALLOW-FROM uri to the response
# see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
clickjackingProtection.enabled=false

OR you can add an exception.
When using browser debugging you can see the url that is being blocked.

refused to display 'https://host.successfactors.com/learning/user/deeplink_redirect.jsp?linkId=HOME_PAGE&fromSF=Y&_s.crb=G%2fTBTVzXw1gKME3QpY5hujnPkcg%3d' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'

Add this url to the exception list:
# These pages are excluded. They will not have the X-Frame-Options Header
clickjackingProtection.excludeURI[1].uri=/user/placeholder.do
clickjackingProtection.excludeURI[scorm2004_header_1].uri=/user/onlineaccess/scorm/lms_scorm.jsp
clickjackingProtection.excludeURI[scorm2004_header_2].uri=/user/onlineaccess/scorm/Action.do
clickjackingProtection.excludeURI[scorm2004_header_3].uri=/user/onlineaccess/scorm/scorm_menu.jsp
clickjackingProtection.excludeURI[2].uri=/user/deeplink_redirect.jsp

blank, screen, not load, loading, click jacking, IE, content, displayed, frame, learning, bizx, homepage, plan, redirect, menu , KBA , LOD-SF-LMS-COR , LMS Core - Items, Catalog, Curricula , LOD-SF-LMS , Learning Management System , LOD-SF-LMS-ADM , System Admin, Global Variables, References , LOD-SF-LMS-CNT , Content , LOD-SF-LMS-PER , Application Latency/ Performance Issues , Problem