Clickjacking is an attempt to trick users into clicking hidden or masked user interface elements without the user realizing it. The user thinks he or she is clicking on the underlying element in the presented context, but is actually clicking on an action chosen by the attacker.
This topic is not relevant for SAP Business Client for Desktop.
To prevent malicious applications from using SAP NetWeaver Business Client (NWBC) for HTML for clickjacking attacks, protect the NWBC for HTML applications by enabling clickjacking framing protection.
Clickjacking framing protection ensures that your application only runs in trusted environments when other applications frame it. If clickjacking framing protection determines it is not already in a safe environment, clickjacking framing protection detects the origin of the framing window and compares it against a fixed value or list. The function prevents NWBC for HTML applications from being embedded into other web applications, unless you trust the application source. You define trusted domains in a whitelist for clickjacking framing protection.
Consider whitelisting domains (such as *.example.com) for ease of maintenance, but weigh this risk against your current security measures for your network infrastructure.
To enable the global clickjacking framing protection functionality for NWBC for HTML as well as for any other UI frameworks being exposed in the NWBC, maintain the whitelist for clickjacking framing protection.
For more information, search for Using a Whitelist for Clickjacking Framing Protection in the SAP NetWeaver documentation in the SAP Help Portal http://www.help.sap.com (see under ).
For SAP NetWeaver Business Client version 3.5, at least patch 48 (SAP Note 2201092 ) must be implemented
For SAP NetWeaver Business Client version 3.6, at least SAP_UI service pack 14 must be implemented