Post on 21-Apr-2015
07.03.2012 Page 1 of 2
SAP Note 1427124 - LTX - Cross-frame scripting has beendenied by the browser
Note Language: English Version: 5 Validity: Valid Since 04.02.2011
Summary
SymptomIn the WebClient UI you use the transaction launcher for integrating BORobjects with SAP GUI for HTML. On ending the launch transaction you get apopup with this error text:Cross-frame scripting has been denied by the browser for security reasons.Protocol or domain of the inline frame did not match with the main window.Then the protocol and domain of the inline frame are listed.
Other terms
Reason and Prerequisites
SolutionThe URL in the browser address bar has the following composition:<protocol>://<host_name>.<domain>:<port>/...
Compare the protocol in the address bar of your browser with the protocolof the inline frame. If they are not the same (one is HTTP and the other isHTTPS) then continue reading at "Protocol Mismatch".
Compare the domain in the address bar of your browser with the domain ofthe inline frame. If they are not the same then continue reading at "DomainMismatch".
Related document at Microsoft ("About Cross-Frame Scripting and Security"):http://msdn.microsoft.com/en-us/library/ms533028%28VS.85%29.aspx
Protocol MismatchWe have to ensure that the used protocols are the same to allow cross-framescripting. There are three different ways to get this. The first twopossibilities are static adjustments. The third possibility automaticallyuses the matching protocol:
1. Starting the WebClient UI with the protocol that is used within theinline frame. (Note that with a change of the protocol the port has tochange accordingly. You can have a look at transaction SMICM, Goto -Services for a list of protocols and assigned ports.)
2. Starting the launch transaction with the protocol that is used for theWebClient UI. You can change this setting in field "URL of ITS" intransaction CRMS_IC_CROSS_SYS. (There can be multiple entries. In theexecuted launch transaction you can have a look in the status line ofSAP GUI for HTML and get the system ID. This helps in identifying thecorrect line in CRMS_IC_CROSS_SYS.)
3. For a dynamic matching of protocol and port go into transactionCRMS_IC_CROSS_SYS and set the indicator "Local ITS" of the line thatis used by your launch transaction. (For getting the correct lineeither have a look into the settings of the launch transaction orcheck the system ID within the executed launch transaction and deduce
07.03.2012 Page 2 of 2
SAP Note 1427124 - LTX - Cross-frame scripting has beendenied by the browser
the corresponding line.)Starting WEBCUIF701 SAP recommends to use option (3).
Domain MismatchIn general if the two domains have at least one common part then theconcept of domain relaxation can be used to allow the cross-framescripting.But as the WebClient UI only supports minimal domain relaxation, i.e. takethe fully qualified domain names and truncate the host names, then theremaining domain part has to be identical.
Header Data
Release Status: Released for CustomerReleased on: 04.02.2011 12:55:51Master Language: EnglishPriority: Correction with low priorityCategory: ConsultingPrimary Component: CA-WUI-APF Application Frame
Secondary Components:CRM-FRW-AFP Application Frame
Valid Releases
Software Component Release FromRelease
ToRelease
andSubsequent
WEBCUIF 701 701 701