Skip to Content
Feb 01, 2021 at 10:33 AM

Smartedit in 2005 shows "Disallowed Storefront" (whitelistedStorefront is correctly configured)

1090 Views Last edit Feb 01, 2021 at 10:35 AM 3 rev


We are upgrading from 1905 to 2005.

When entering smartedit, a lot of messages "disallowed storefront is trying to communicate with smarteditcontainer" are printednin the browser console. This does occur immediately after login when browsing the catalogs and pages (so even before the spartacus storefront is involved when editing pages and using the preview functionality).

Description of the situation:

  • The configuration of the whitelistedStorefronts is set correctly to
  • The requests from the spartacus storefront (from https://localhost:4200) are handled correctly but the requests by the smartedit application itself (coming from https://localhost:9002) result in the error message "disallowed storefront..."
  • This also happens for an unchanged installation of the standard Sap Commerce 2005 and we found out that in the file in the method '_isAllowed' in gatewayFactory.js there are changes between 1905 and 2005:


     * allowed if receiving end is frame or [container + (white listed storefront or same origin)]
    GatewayFactory.prototype._isAllowed = function (origin) {
        var _this = this;
        var whiteListedStorefronts = this.injector.get(GatewayFactory_1.WHITE_LISTED_STOREFRONTS_CONFIGURATION_KEY, []);
        return this.windowUtils.isIframe() || this.urlUtils.getOrigin() === origin || (whiteListedStorefronts.some(function (allowedURI) {
            return _this.stringUtils.regExpFactory(allowedURI).test(origin);
    var GatewayFactory_1;
     * @description
     * the name of the configuration key containing the list of white listed storefront domain names
    GatewayFactory.WHITE_LISTED_STOREFRONTS_CONFIGURATION_KEY = 'whiteListedStorefronts';


     * allowed if receiving end is frame or [container + (origin same as loaded iframe)]
    GatewayFactory.prototype._isAllowed = function (origin) {
        return (
        // communication from container to iframe already secured by webApplicationInjector
        this.windowUtils.isIframe() ||
            // communication from iframe to container strictly limiting to domain loaded in iframe
            this.windowUtils.getTrustedIframeDomain() === origin);
    var GatewayFactory_1;


How and where do we have to configure the access from http://localhost:9002 so that the _isAllowed in the 2005 version is not giving back "false" (and therefore the log messages do not happen)?