Embedding SAP WebGUI into External Applications: Bypassing the Clickjacking Protection
Learn how to synchronize SAP tables using RFC_READ_TABLE and RESTful APIs. This guide covers ABAP code examples, integration strategies, and best practices for secure, efficient SAP data extraction and system integration.
Integrating SAP WebGUI into a custom web application can be a powerful way to extend enterprise workflows and improve user experience. However, SAP’s built-in clickjacking protection often gets in the way, especially when embedding WebGUI via an <iframe> from a different subdomain.
In this post, I’ll walk you through:
- 🧠 What clickjacking is and why it matters
- 🧪 Why SAP WebGUI’s JavaScript clickjacking protection doesn’t work cross-subdomain
- 🔧 How I solved it using
window.postMessage - 🛡️ What configuration is needed on the SAP side to allow this integration
All code provided adheres to modern clean code principles, and this approach works with recent SAP NetWeaver versions.
💥 What is Clickjacking?
Clickjacking is a web-based attack where a malicious site embeds another site in a transparent frame and tricks the user into clicking something they didn’t intend to.
Imagine a legitimate SAP transaction screen embedded in an invisible iframe. The attacker might overlay a “Download Now” button that actually triggers sensitive actions in the SAP system underneath.
To prevent this, web applications often:
- Deny embedding via the
X-Frame-OptionsorContent-Security-Policyheaders. - Implement JavaScript-based frame busting, like SAP WebGUI does.
While effective, this protection can be too aggressive when legitimate applications - like your company’s portal - need to embed SAP UI components from another subdomain.
🧬 SAP’s JavaScript-Based Clickjacking Protection (And Why It Fails)
SAP WebGUI includes a JavaScript snippet that performs runtime checks to ensure it’s not embedded by an unauthorized parent.
Here’s a simplified and cleaned-up version of what SAP uses:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
try {
let testWindow = parent.window;
let isTrusted = false;
do {
const domain = testWindow.document.domain;
if (testWindow === top) {
if (domain !== undefined) {
isTrusted = true;
}
break;
}
testWindow = testWindow.parent;
} while (true);
if (isTrusted) {
applyState(true, true);
}
} catch (e) {
// Access denied - likely different subdomain
parent.postMessage('SAPFrameProtection*require-origin', '*');
window.setTimeout(noResponseAlert, iTimeoutValue);
}
⚠️ Why it fails across subdomains
Even if you’re using the same base domain (like sap.company.com and portal.company.com), this check throws a SecurityError because:
- The browser considers these as different origins.
- Accessing
parent.document.domaintriggers a cross-origin policy violation. - Therefore, the script falls into the
catchblock.
If the postMessage sent in the catch block is not properly answered, SAP assumes the WebGUI is embedded by an unauthorized source and stops rendering it, showing a clickjacking warning.
🔓 Solution: Handling the postMessage Response in Parent Frame
SAP WebGUI sends a postMessage to its parent when it suspects clickjacking. You can respond from the parent application to explicitly whitelist your embedding.
Here’s how to do it from the parent frame:
1
2
3
4
5
window.addEventListener('message', (event) => {
if (event.data === 'SAPFrameProtection*require-origin') {
event.source?.postMessage('SAPFrameProtection*parent-unlocked', '*');
}
});
🧼 Clean Code Notes:
- Uses optional chaining to avoid runtime errors.
- Compares event data explicitly.
- Avoids wildcard listeners or unsafe pattern matching.
This tells the SAP WebGUI: “Hey, I’m a trusted parent - it’s OK to render.”
🔧 SAP Backend Configuration: UCONCOCKPIT Whitelist
For the solution to work, you must also explicitly allow the subdomain within SAP:
- Log into your SAP GUI.
- Go to transaction
UCONCOCKPIT. - Navigate to “Whitelisted Domains” or the relevant whitelist configuration area.
- Add the full subdomain that will embed SAP WebGUI (e.g.,
portal.company.com).
This ensures that SAP won’t block your domain even if the origin check passes.
Without this backend configuration, SAP might still reject the integration at the transport or policy level.
🧪 Testing the Integration
Here’s a checklist ✅ to verify everything works:
- Embed the SAP WebGUI iframe into your application (use HTTPS and the correct subdomain).
- Ensure the parent has the
postMessagelistener. - Confirm the backend whitelist is updated via
UCONCOCKPIT. - Open the application - SAP WebGUI should render without clickjacking warnings.
- Monitor console logs for any cross-origin issues or unhandled messages.
Tip: Use Chrome DevTools’ Security tab to inspect CSP and iframe restrictions.
🧠 Bonus: Why Not Just Use document.domain?
Old tricks like setting document.domain = 'company.com' used to help bypass subdomain restrictions. But:
- Modern browsers deprecated this practice for security reasons.
- It only works if both parent and iframe explicitly set it - which SAP WebGUI doesn’t.
- Even when possible, it’s considered bad practice in new projects.
Stick with postMessage - it’s the cleanest and safest approach.
🧵 Final Thoughts
Integrating SAP WebGUI into modern enterprise portals or dashboards can boost productivity, but it requires navigating SAP’s security mechanisms.
SAP’s clickjacking protection is strong - and rightly so - but with a secure and explicit messaging mechanism, you can safely enable cross-subdomain embedding without compromising security.
Don’t forget: backend configuration (UCONCOCKPIT) and frontend logic (via postMessage) must both be implemented to get a seamless integration.
If you’re working on similar integrations or building hybrid UIs around SAP, this approach offers a solid foundation.