UI5 applications that do not explicitly set the frame options to deny may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.
Explicitly set the frame options to "deny", either through window["sap-ui-config"], or data-sap-ui-frameOptions attribute of the script tag where it sources the bootstrap script "sap-ui-core.js":
window["sap-ui-config"] = {
frameOptions: "deny",
...
};window["sap-ui-config"].frameOptions = "deny";<script src="resources/sap-ui-core.js" data-sap-ui-frameOptions="deny"></script>This UI5 application explicitly allows to be embedded in other applications.
<!doctype html>
<html lang="en">
<head>
...
<script>
window["sap-ui-config"] = {
frameOptions: "allow", // either through JS
...
};
</script>
<script
src="resources/sap-ui-core.js"
data-sap-ui-frameOptions="allow" // or through this HTML attribute
></script>
</head>
...
</html>The default value of window["sap-ui-config"] and data-sap-ui-frameOptions are both "allow", which makes leaving it untouched allows the application to be embedded.
- OWASP: Clickjacking Defense Cheat Sheet.
- Mozilla: X-Frame-Options.
- SAP UI5 Documentation: Frame Options.
- SAP UI5 Documentation: Allowlist Service.
- Common Weakness Enumeration: CWE-451.