Clickjacking Framing Protection
Clickjacking is an attempt to trick users into clicking hidden or masked user interface elements without the user realizing it. The user thinks he or she is clicking on the underlying element in the presented context, but is actually clicking on an action chosen by the attacker.
To prevent malicious applications from using SAP Fiori launchpad for clickjacking attacks, clickjacking framing protection is enabled by default.
Clickjacking framing protection ensures that your application only runs in trusted environments when other applications frame it. If clickjacking framing protection determines it is not already in a safe environment, clickjacking framing protection detects the origin of the framing window and compares it against a fixed value or list. The function prevents SAP Fiori launchpad applications from being embedded into other web applications, unless you trust the application source. You define trusted domains in a whitelist for clickjacking framing protection.
Consider whitelisting domains (such as *.example.com) for ease of maintenance, but weigh this risk against your current security measures for your network infrastructure.
To enable the standard clickjacking framing protection for SAP Fiori launchpad and SAP Fiori
launchpad designer, maintain the white list for clickjacking framing protection. For
more information, see 
http://help.sap.com/netweaver 
Security Guide Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide Special Topics Using a Whitelist for Clickjacking Framing Protection 
.
If you do not activate the white list, the launchpad defaults to a more restrictive clickjacking mechanism. It only allows a web site to frame the launchpad if it is hosted on exactly the same domain.
