The previous article of this tutorial answered the question raised by my friend on Knowledge Planetiframe
: How to prevent the SAP UI5 application from being embedded into another front-end page and running settings:
That is, index.html
add a line of code to the file of the SAP UI5 application:data-sap-ui-frameOptions='deny'
Later, a friend raised a question and pointed me to the following website:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
X-Frame-Options
This website mentioned that the way to avoid the risk of clickjacking is to set the value of in the HTTP response header fieldDENY
to prevent the HTML page returned by the HTTP request from being embedded into other front-end pages and run:
However, in the example of the previous article in our tutorial, if we observe iframe2.html
the response header field of the returned HTTP request, we find that there is no X-Frame-Options
figure at all. So how does this example work?
This friend has very detailed observations, so the author of this article will take everyone together to find the answer to the question through single-step debugging.
The detailed answer is in this article .