Skip to Content
Author's profile photo Troy Cronin

EP: Portal & Clickjacking – A Hidden Relationship?


In the modern world of computing and IT Security is perhaps one of the important aspects of assured business practices and conformance to business practices. Without necessary security measures and protection mechanisms as we know the consequences can be consequential in all walks of life and the Enterprise Portal is no different. In my experience with the Enterprise Portal I’ve dealt with many different scenarios in which customers have been performed security scans and updates in a bid to identify vulnerabilities and make correction measures were necessary. Such processes are encouraged as they help ensure Portal Environments are fined tuned when it comes to protection against harmful and malicious threats from diverse sources.

What is Clickjacking

Clickjacking is something I’ve seen noted by customers on multiple occasions as a result of running vulnerability scans. In true essence click-jacking is essentially a clever means of tricking users into performing hidden actions through disguised links and context elements.


Clickjacking – Protection Step 1

If you have conversed with SAP you will be aware of the important of the latest Patch Level Release & Support Package implementation. Applying the latest Patch Levels & SP’s provide resolutions into easily avoidable issues and offer preventive measures against potential issues. In terms of “potential issues” this can indeed include security breaches and threats therefore the recommendation is always to ensure the latest SP’s & Patches have been applied.

Clickjacking – Protection Step 2

Now if you run security & authorization checks from a Portal perspective you may come across possible concerns across a wide range of Portal Component areas and in many cases these have to be checked independently. In this case we are going to try and lay the foundation (following Step 1) to ensure we have a solid Clickjacking protection setup in place. Here we are essentially implementing preventive measure guidelines to ensure your Portal setup and environment has the correct security settings.

A core aspect to click-jacking protection is the surrounding platform in which the Portal operates which is the Browser.


From the Portal’s perspective in terms of intended utilization it is of vital importance that the Web Browser Platform being used is supported from SAP’s perspective. In order to support optimal browser performance you will need to ensure that the current Product Version being utilized (IE, Chrome, Firefox, Safari) supports your NW Version and vice versa. In relation to optimal browser performance here I am making reference to two difference aspects:

  • Rendering: how the presentation is presented to the end user in terms of EP components & elements
  • Security & Navigation: functionality setup and essentially “click-ability” and “select-ability”

The primary means of checking whether or not your present Web Browser Platform version is supported is through the SAP PAM or Product Availability Matrix. On the PAM we are given insight into which different Product Versions support Web Browser Versions and vice-versa. The PAM will also provide an informative outlined into the limitations (if any) which may exist which a potentially unsupported setup.

Although we can refer to the risk of using an supported Browser Platform as a lack of common sense in many cases we inadvertently open ourselves up to potential threats. For example if you are using standardized company software and are participating in a project perhaps you want to make use of a free software to offer an extra degree of detail to your project. This could be anything from grammatical process setups or perhaps a graphical generation software.

If you have experiencing with downloading any software program you would have encountered the launch program and .exe files on many occasions. Here we often navigate quickly through the launch tool as we only want to make use of the final product. In doing so we might accidentally install a host of third party tools such as browser plugins, and toolbar setups. In true essence you are never quit sure as to what you are downloading if not from a trusted source. Upon downloading any third party software even for temporary use inadvertently you could be installing spyware and phishing mechanism to which you are “none the wiser”.

The recommendation is to install only what is supported and seek consultation from Admins regarding any potential queries you may have regarding the intended utilization of programs or tools which may not be available as standard in an organizational setup.

Combining Protection Step 1 & Protection Step 2

I would strongly recommend reviewing the following guidance documentation to add an extra degree of comprehensive insight as this will help set a solid protection measure foundation against clickjacking.

Protection Step 3 – Applications & Elements

The first point of reference here comes in the shape of SAP Note: 1781171 – ClickJacking vulnerability in WebDynpro Java. In theory it is of adequate practice to set the property “ClickJacking” to “true” and “X-FRAME-OPTIONS” to be set as “SAMEORIGIN”. This will make sure that the functionality is constant on all of the WDJ server responses and calls.

  • SAP Note: 2319727 – Clickjacking protection framework in SAP Netweaver AS ABAP and AS Java

However, do note that this X-FRAME-OPTIONS is not compatible with all browsers. Refer for more details.:

Protection Step 4 – Iframes & Forbidden Framing References

Many of us as Portal end-users have come across and encountered the infamous message “This content cannot be displayed in a frame. To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame. What you can try: Open this content in a new window which can arise for a whole range of different issues. Sticking to the topic of clickjacking here on the Web Dynpro front in many cases the root source is actually that of the Web Browser Platform and cannot be avoided by us.

Both documentation links outlined above share additional details about the Allow-From attribute. Such issues meant the creation of the X-Frame-Options to avoid click jacking vulnerabilities in WD setups which again is complemented by SAP Note: 1781171 – ClickJacking vulnerability in WebDynpro Java.

By definition the Portal allows itself to be framed into another third-domain page. This ability is required in order to support the Interoperability mode. (Integrating SAP Portal Content into Other Portal Servers.

For more informaton on this: )

This is the reason we can’t control the X-Frame-Options header variable (which disables/limits framing options). In order to avoid clickjacking it is possible for you to use reverse proxy in order to prevent SAP NW Portal framework page being framed. You can configure the reverse proxy to use a parameter ‘X-FRAME-OPTIONS’ to disallow framing. To prevent clickjacking, a Website Owner (Google) can send a HTTP response header X-Frame Option “Deny”. Then the browser prevents the page from rendering in a frame and you get the error message “This content cannot be displayed in a frame”. Again to highlight it is a browser limitation.

One example of such reverse proxy can be apache reverse proxy. See more details on X-FRAME-OPTIONS here:

Reference Point – Fiori & Clickjacking.

The primary driver behind the utilization of the Fiori Launchpad on Portal is to provide end-users with the practical experience that Fiori itself offers. The utilization of the Fiori Launchpad on Portal shares the same approach delivered within the normal Enterprise Portal environment although the way such an experience is display is different!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Stefan Mahnke
      Stefan Mahnke

      Hi Troy, great post - thanks a lot!

      I have problems acessing the links to go to Can you access them?

      By the way there is another interesting SAP note 2319727 on this issue.

      Ragards Stefan

      Author's profile photo Former Member
      Former Member

      Good job Troy, some other people and me discussed this topic:

      Behind all the generall stuff (common sense, PAM, update strategy and so on) the problems could occur seems to be technology specific. From the thread Im pointing to I wasnt able to perceive a conrete scenario people talking about, if they talk about steps to prevent clickjacking in their environment. This is by far not sufficient from my point of view: what is your criteria for success or validity of steps like enriching response headers? So, are you aware of concrete malware / trojan families causes harm through clickjacking in SAP applications accessible over web? What experience have you possibly done by working on appropriate OSS cases? Can you deliver some real life issues for different technologies, so for WDJ or Fiori e.g.? Thank you very much for your relentless effort


      Author's profile photo Troy Cronin
      Troy Cronin
      Blog Post Author

      Hi Stefan & Lawerence

      I hope you are both keeping well & many thanks for the feedback and continual support it is greatly appreciated.

      @Stefan I've added the note you highlighted to the blog posting for future interested parties as this is of vital importance (many thanks for pointing this out). Please kindly let me know if you encounter issues with the pages and I will look into this internally.

      @Lawrence I agree with you 100% especially with reference to the thread discussions. When we are dealing with clickjacking scenarios obviously there are two main points of interest the first of which relates to high level "generic" protection for system setups and the second is based upon customer specific scenarios. At present there is no clean-cut method combining both although I plan to work towards creating such a methodology with these blog postings. So as we know here the "preventive" measures stem directly from SAP Note: "2169722 - Clickjacking protection framework for Enterprise Portal".

      Now regarding your queries lets try and address these individually. Firstly with respect to Fiori and the setup. At present as we know Fiori is still relevantly new & fresh in terms of functionality and operation enhancements. In direct association to Fiori and ClickJacking there is one core highlighted issue which has been reported at present which ties back to SAP Note: 2057847. With Fiori its important when we are dealing with AI Fiori iViews to ensure the iView setup itself follows the official configuration guide:

      There was a noted issue here with the use of the iView and IE11 as a Web Browser Platform as running clicking protection with invalid relaxed boundaries could potentially block the applications from appearing correctly. In the SAP Fiori iView wthe point of interest here is the property “”:

      Now regarding concrete Malware families obviously these exist in abundance and the fundamental protection guide is that of:

      Again here as you will see the best form of protection is indeed prevention. However with reference to cross-site framing issues the currently identified weaknesses are indeed reviewed here:

      Cross-Site issues are highly dependent on the NetWeaver version, as many version have patches available. (SAP Note: 1450166 describing the NW engine protection mechanism). This note has a conjoined guide attached to it. In the guide you can see how to protect standard & custom applications from XSRF attacks. Essentially this diversity among applications is where a "generic" or "general" one for all fix is removed as a possibility. However the principle of protection through prevention remains prevalent.

      From a Java respective the recommendation is to deploy the latest patch level of the SCAs described in the validity section for (SAP-JEE, SAP_JTECHS, SAP-JEECOR) .

      • This will add the XSRF Protection Framework to your system (if omitted).

      To protect applications from XSRF attacks you need to be adopted to the XSRF Protection Framework, as described in the attached guide. (Specially see Section 4 and Section 5)

      Lastly again to generalize I would like to just add a point which compliments the protection points covered in the blog itself. By the end of 2017 EP 7.0 versions will no longer be supported and this could lead to a wide range of issues especially with security protection. Therefore as you will know we are actively encouraging the upgrade to a newer higher NW Version now as opposed to waiting until the last moment. The recommendation is to upgrade to EP 7.5 which has the longest maintenance period and moreover provides you with multiple new features and security enhancements.

      As always please feel free to reach out to me directly on SCN with any queries/comments/concerns that you might have and I will actively respond (time permitting) 😆 .

      Thank you both once again for the feedback it is greatly appreciated and I will continue to deliver blog content on all things Portal related.

      Kind Regards

      Troy Cronin - Enterprise Portal Support Engineer.

      Author's profile photo Former Member
      Former Member

      Troy, thank you very much for your effort, I appreciate your work.

      Complex topic, Im noticing I have serious lack on knowledge regarding UI5 security and XSRF in context of frame protection, I will need to correct that first. This:

      helped me a bit. Indeed, some aspects of x-frame-options protection seems to be controversial discussed:

      At the end: what have Doc Brown done to get some plutonium for the flux capacitor? Right, he made a deal with the lybians 🙂 So I guess it could be a good idea to do some tests in an isolated environment. I hope I can come back on this soon

      Btw, this one seems to be broken:…

      Thank you again,


      Author's profile photo Troy Cronin
      Troy Cronin
      Blog Post Author

      Hi Lawrence

      Absolutely my pleasure and no problem at all 😎 . Regarding UI5 and ClickJacking I agree completely the topic is indeed "heavy" and can be quite complex. Also when we add the newer technologies into the mix we are all in the same boat of learning 😆 .

      The cheat sheet you provided is very very informative and a great source of reference here. I believe I will overtime make this blog posting into a series like I done with Fiori and Portal Logoff scenarios as this might be the best approach here. If I can make a series of postings that might be beneficial for all of us and help us have solid security settings with the Portal itself as the baseline an all integrated data & applications.

      If you have any inputs down the line please let me know and I will include these ! Two minds are better that one as they say 😆 .

      p.s. I have updated the broken link, let me know if there are any issues with accessing any of the documentation and I will correct these.

      Kind Regards & Have a Great Day

      Troy Cronin - Enterprise Portal Support Engineer

      Author's profile photo rakesh singh
      rakesh singh

      Hi Experts,

      The query is w.r.t Clickjacking issue solution. I am also implementing a scenario of " FLP integration with SAP Portal" using iview template & using FFP*. I would like to know few things on it.

      1. If web-dispatcher is in placefor integration scenario, do we still need to implement sap note "2142551 - Whitelist service for Clickjacking Framing Protection in AS ABAP" to avoid clickjacking issue ?                                                                                                                                                     
      2. If yes! to above question, is updating "HTTP_WHITELIST" table with portal entry sufficient to avoid clickjacing issue, or do we also need some code modification in SAP GW* for UI component ?

      Hoping for your experienced advice on my queries which would make it easier for me to implement required options.

      GW* : Gateway

      FFP*: Fiori Framework Page



      Author's profile photo rakesh singh
      rakesh singh

      Hi Troy,

      I have another issue while testing the SAP Fiori Launchpad integration with SAP EP (SP09). The scenario is as below:

      • When i am trying to access the FFP (fiori framework page) using the url :” https:<portal host:port>/irj/portal/fiori ” i am able to launch the Fiori Framework page and could see my tiles on page.
      • But when i am trying to access the same page using web dispatcher url: “https:<web-dispatcher host:port>/irj/portal/fiori” , i am just getting a blank page and FFP page is not getting displayed.

      Please note that Web-dispatcher is configured for portal and i am able to access the portal using web-dispatcher url : “https:<web-dispatcher host>:port/irj/portal”.

      Need your expert advise here, if i am using the correct url/process or am i missing something.




      Author's profile photo Troy Cronin
      Troy Cronin
      Blog Post Author

      Hi Rakesh

      I hope you are keeping well and many thanks for using the SAP Communities.

      Just for future reference, I would recommend posting queries/questions in the Q&A section so they have full visibility within the Portal Area.

      This will allow us@SAP to work as one together with you in order to provide assistance and we will be able to see your postings 🙂

      Now surrounding the scenario that you have described you mentioned:

      • Testing FLP@EP integration alongside the FFP. You can access the FFP and see tiles as normal however doing so via the Web Dispatcher returns a blank page

      Ok firstly surrounding this I would like to reference also what you mentioned above regarding "clickjacking" as you should cross-reference the following documentation very closely:

      • SAP Note: 2057847 - Removing/Relaxing Click-Jacking Protection for the SAP Fiori Launchpad

      You can then verify that there are no discrepancies within the setup between the Fiori integration by following: SAP Note: 2017946 - SAP Fiori application integration with NetWeaver Portal

      Reference Documentation:

      - Fiori Apps & Web Dispatcher:

      - SAP Note: 2197753 - The ICM or Web Dispatcher admin page is blank in kernel 742 or higher

      Kind Regards,
      Troy Cronin - Enterprise Portal Support Engineer


      Author's profile photo rakesh singh
      rakesh singh

      Hi Troy,

      Thanks! for the response.

      I am now able to see flp contents when trying to access from portal FLP role, but I am facing an issue in display of SAP Fiori Launchpad contents when being launched from portal Role (web-dispatcher portal url). I am getting the content as in below screen-shot. Please note that the same content is being launched properly when using direct web-dispatcher fiori launchpad url.

      My EP version is NW7.4SP09 & FLP is NW7.4SP13

      Please help in resolving the same, if anyone has faced similar issue earlier.

      * Web-dispatcher is configured for integration scenario and we are able to access portal using same.

      link to discussion: