SAP Knowledge Base Article - Preview

2542903 - Support of the X-Frame-Options Header ALLOW-FROM property


  • You have an application or resource which will set the X-Frame-Options header as recommended to prevent Clickjacking attacks
  • You have configured the application/web server to include the ALLOW-FROM parameter, which will include the Enterprise Portal domain. Your header is now sent as:
    X-Frame-Options: ALLOW-FROM
  • In some browsers, such as Google Chrome the application or resource will still refuse to render inside of an iframe



  • SAP NetWeaver Release independent


SAP NetWeaver all versions


x, frame, options, clickjacking, click, jacking, click-jacking, iframe, iframes, frames, frame, allow, from, allowlist, exclude, portal, fiori, server, webkit, web kit, safari, firefox, ie, edge, internet, explorer, microsoft, apple, google, opera, mozilla, android, ios , KBA , whitelist , EP-PIN-AI , Application Integration , CA-UI2-INT-BE , Please use CA-FLP-ABA , EP-PIN-NAV-FFP , Fiori Framework Page , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.