SAP Knowledge Base Article - Public

2169861 - LMS: Learning Plan Internet Explorer error "This content cannot be displayed in a frame" or blank page in Chrome or Firefox

Symptom

  • When trying to load the Learning Plan in Internet Explorer, it displays the error message "This content cannot be displayed in a frame."

           Cannot be displayed in a frame2.png



OR

  • In Chrome or Firefox: the screen shows up blank, just the background image will appear.

Environment

SuccessFactors Learning Management System (LMS)

Reproducing the Issue

  1. Login to BizX
  2. Select Learning module and make sure Learning Plan loads
  3. Select user name > Admin Tools
  4. Select Learning > Learning Administration (load the LMS admin side)
  5. Allow to finish loading > Top left go back to Bizx side
  6. Select Learning module again

Cause

This was a vulnerability that was found on iframes called clickjacking.

SF Engineering created settings to resolve this issue for customers who want to take advantage of it.
Starting in 1502 this was defaulted to true.

This was added by LRN-5096.
System Admin > Configuration > System Configuration > WEB_SECURITY

# Note this feature is still beta in b1411.
# Enable the clickjacking protection using the X-Frame-Options Response Headers
# when enabled will add the X-Frame-Options Header SAMEORIGIN or ALLOW-FROM uri to the response
# see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

clickjackingProtection.enabled=true

Resolution

You can turn off clickjacking to resolve this issue:
System Admin > Configuration > System Configuration > WEB_SECURITY

# Enable the clickjacking protection using the X-Frame-Options Response Headers
# when enabled will add the X-Frame-Options Header SAMEORIGIN or ALLOW-FROM uri to the response
# see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
clickjackingProtection.enabled=false

OR you can add an exception.
When using browser debugging you can see the url that is being blocked.

refused to display 'https://host.successfactors.com/learning/user/deeplink_redirect.jsp?linkId=HOME_PAGE&fromSF=Y&_s.crb=G%2fTBTVzXw1gKME3QpY5hujnPkcg%3d' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'

Add this url to the exception list:
# These pages are excluded. They will not have the X-Frame-Options Header
clickjackingProtection.excludeURI[1].uri=/user/placeholder.do
clickjackingProtection.excludeURI[scorm2004_header_1].uri=/user/onlineaccess/scorm/lms_scorm.jsp
clickjackingProtection.excludeURI[scorm2004_header_2].uri=/user/onlineaccess/scorm/Action.do
clickjackingProtection.excludeURI[scorm2004_header_3].uri=/user/onlineaccess/scorm/scorm_menu.jsp
clickjackingProtection.excludeURI[2].uri=/user/deeplink_redirect.jsp

Keywords

blank screen, not load, loading, click jacking, IE, content cannot be displayed in a frame , KBA , LOD-SF-LMS-COR , LMS Core - Items, Catalog, Curricula , LOD-SF-LMS , Learning Management System , LOD-SF-LMS-ADM , System Admin, Global Variables, References , LOD-SF-LMS-CNT , Content , LOD-SF-LMS-PER , Application Latency/ Performance Issues , Problem

Product

SAP SuccessFactors Learning 1708 ; SuccessFactors Learning 1207 ; SuccessFactors Learning 1210 ; SuccessFactors Learning 1302 ; SuccessFactors Learning 1305 ; SuccessFactors Learning 1308 ; SuccessFactors Learning 1311 ; SuccessFactors Learning 1405 ; SuccessFactors Learning 1408 ; SuccessFactors Learning 1508