Clickjacking is an UI-redressing attack where an attacker tricks a user to click on something different than the user is aware of. This attack makes use of standard possibilities in HTML and does not use weaknesses in the code of the application.
To tackle the Clickjacking, SAP deployed a mechanism which while building the application disables any threat of clickjacking. While building a BSP application, system adds a logic of Anti-Clickjacking, making the content more secure.
` <style id = "SAP-antiClickjackStyle">body { display: none !important; }</style>`
` <script src = "/sap/public/bc/uics/whitelist/ClickjackingFramingProtection.js"`
` id = "SAP-antiClickjackScript"`
` data-styleId = "SAP-antiClickjackStyle"`
` data-checkService = "/sap/public/bc/uics/whitelist"`
` data-deniedMessage = "This application cannot run in that Frame."`
` data-releaseTimeoutMessage = "The white list service cannot be reached."`
` data-applyProtectionCallback="UCF_IHubFrameProtect.applyProtection">`
` </script></head>`
Securing the content can be specific to an application based on the settings maintained. These settings can be maintained in table ‘BSPGLOBALSETTING’.
How Anti-Clickjacking is linked to the GRC Applications?
In GRC, while sending the notifications of workitems, system builds the email body content using a BSP application ‘SWN_MESSAGE1’. This application consolidates the workitems and send it as an email. When the Anti-Clickjacking is turned on, system will hide the content of the email body and nothing will appear.
Once Anti-Clickjacking is turned off for the application, you will be able to see the content:
GRC- PC applications that uses BSP pages:
- Notifications
- Manual Control Performance
Note: If Anti-clickjacking is not properly configured, it can cause the Email Application (Like MS-Outlook) to non-responding state as system runs scripts to make the content more secure.