cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Embedding Slipstream to external web app

jfox
Participant

on ‎10-13-2021 9:04 PM

Hi,

please how can I make embedding some sap transaction rendered by Slipstream Engine (/sap/bc/se/m) in an external web page using iframe? I successfully embedded sap transaction rendered by webgui engine (/sap/bc/gui/sap/its/webgui), but when I make the same for Slipstream Engine URL, the page will return alert: "Slipstream Engine has been deactivated. Please refer to SAP note 2640258". In the SAP note is written that my external web page has to be the same domain (or origin policy) as the URL of Slipstream Engine. This domain of my external web is different from the domain of Slipstream Engine. I do not want to put in front of them some reverse proxy, because I need the current effect that the external web is accessible from the public internet, but the iframe content (sap transaction rendered by Slipstream Engine) is accessible only from our private network.

So, can I allow run sap transaction rendered by Slipstream Engine in iframe on the external web with different domain (like webgui engine)?

Maybe using table HTTP_WHITELIST (Whitelist for Clickjacking Framing Protection)?

Thank you.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

kmagons
Advisor
Advisor
‎10-14-2021 8:10 AM

Hi Jozef,

As a countermeasure to clickjacking attack vectors, Slipstream Engine can only be embedded into a host web application using HTML inline frames if the host domain origin is trusted. The trust can be established in the following ways:

- The host app and Slipstream Engine come from the same domain origin

- You can use the SAP domain relaxation feature to establish trust in case the top-level domains are the same. More info here

- Slipstream Engine also supports the UCON HTTP Allowlist Scenario Process and the Classic HTTP Allowlist Scenario Process. Please note that the host application also needs to support the handshake protocol. More info here

I Hope, this helps.

Best regards,

Krists Magons

SAP Screen Personas Dev Team

Show replies
Show replies
former_member666436
Explorer
‎10-14-2021 9:05 AM
0 Kudos

Hi Krists,

thank you for your very useful response. I will use UCON or HTTP Allowlist Scenario Process. You also mentioned, that the host application needs to support the handshake protocol - please, what exactly is the protocol (some links/docs/whatever)?

Thank you!

kmagons
Advisor
Advisor
‎10-14-2021 11:07 AM
0 Kudos

Hi Jozef,

If you use SAPUI5 to build the host app, the handshake protocol is already part of the framework. Unfortunately, the allowlist service implementation for the host application is out of our team's expertise.

Thanks,

Krists

Show replies
Show replies
Ask a Question