Frame Options

frameOptions is used to prevent security vulnerabilities like clickjacking. With the frameOptions configuration you define whether SAPUI5 is allowed to run embedded in a frame or only from trusted origins or not at all.

SAPUI5 provides the following configuration options for frameOptions:

Mode

Default

Description

allow

X

Allows to be embedded from all origins

deny

Denies to be embedded from all origins

trusted

Allows to be embedded from trusted origins according to the same-origin policiy and to be embedded to origins allowed by the whitelist service

With frameOptionsConfig the following additional configuration options can be set:

Parameter

Type

Default

Description

callback

function(bSuccess)

Function that is called with the success state

Note

The function can be synchronously called from the SAPUI5 bootstrap script. The DOM (document.body) may not be accessible.

timeout

number

10000

After the delay, the page remains blocked and the provided callback is invoked (milliseconds)

blockEvents

boolean

true

Defines whether keyboard, mouse and touch events are blocked

showBlockLayer

boolean

true

Defines whether an invisible block layer is rendered to prevent interaction with the UI

allowSameOrigin

boolean

true

Defines whether same origin domains are allowed or not

whitelist

string

Contains the domain whitelist (comma-separated)
Example: deny

If the application is not intended to run in a frame, set frameOptions to deny:

#!html<script id='sap-ui-bootstrap'
    src='resources/sap-ui-core.js'
    data-sap-ui-frameOptions='deny'>
</script>
Example: trusted with callback

To restrict the embedding to same-origin domains, set frameOptions to trusted. The callback in the following code sample is called with a boolean as success state and can be used to implement an application-specific behavior.

#!html
<script>
window["sap-ui-config"] = {
    frameOptions: 'trusted',
    frameOptionsConfig: {
        callback: function(bSuccess) {
            if (bSuccess) {
                alert("App is allowed to run!");
            } else {
                alert("App is not allowed to run!");
            }
        }
    }
};
</script>
<script id='sap-ui-bootstrap'
    src='resources/sap-ui-core.js'>
</script>
Example: Whitelist Service

To allow that the SAPUI5 application is embedded in cross-origin domains, configure a whitelist service. The whitelist service checks whether the application can run in the parent origin, or not.

#!html<script>
window["sap-ui-config"] = {
    whitelistService: 'url/to/whitelist/service',
    frameOptions: 'trusted',
    frameOptionsConfig: {
        callback: function(bSuccess) {
            if (bSuccess) {
                alert("App is allowed to run!");
            } else {
                alert("App is not allowed to run!");
            }
        }
    }
};
</script>
<script id='sap-ui-bootstrap'
    src='resources/sap-ui-core.js'>
</script>
Example: Whitelist Service via <meta> Tag

Alternatively, a <meta> tag can be used to configure the whitelistService and set the frameOptions to trusted. This only applies if the whitelistService or frameOptions configuration is not set in the SAPUI5 configuration.

#!html<meta name="sap.whitelistService" content="url/to/whitelist/service" />
<script  id='sap-ui-bootstrap'
    src='resources/sap-ui-core.js'>
</script>
Related Information
Whitelist Service
Configuration Options