Skip to content

Latest commit

 

History

History
703 lines (429 loc) · 13.7 KB

content-security-policy-fe1a6db.md

File metadata and controls

703 lines (429 loc) · 13.7 KB

Content Security Policy

Content Security Policy (CSP) adds an additional layer of security that can detect and mitigate certain types of attacks, such as cross-site scripting and data injection.

CSP restricts the sources from which the browser is allowed to load resources, such as scripts, fonts, and images:

  • CSP mitigates and reports XSS attacks; CSP-compatible browsers only execute scripts loaded in source files that are received from allowed sources.

  • CSP also mitigates packet sniffing attacks by specifying the protocols that may be used on the web server, for example, specifying that content must be loaded from HTTPS.

CSP is either enabled via a configuration in the web server to return the Content-Security-Policy HTTP header (preferred solution), or via the <meta> element in the meta tags of an HTML page.

For generic information about CSP, see https://www.w3.org/TR/CSP2/.

CSP for SAPUI5 - Dos and Don'ts

For SAPUI5, we recommend that developers build their apps CSP-compliant, in particular regarding the loading of resources and the use of inline scripts.

Policies Without script-src 'unsafe-inline'

To build CSP-compliant SAPUI5 without inline scripts, avoid the following:

  • <script> elements with inlined source code

  • Inline event handlers

  • javascript: URLs

  • document.write(), createElement('script'), and so on, if they are used to create inline scripts. Creating script references, such as <script src="..."></script>, or non-script content with them is okay.

Policies Without script-src 'unsafe-eval'

eval() is currently still required in some parts of SAPUI5 for synchronous loading and other functionality. However, we recommend loading JavaScript resources asynchronously, which also avoids the use of eval(). For more information about asynchronous loading, see Modules and Dependencies.For more information about avoiding synchronous APIs that might lead to synchronous loading, see Deprecated Factories Replacement.

For a CSP policy that doesn't allow eval() you must also avoid the following elements when developing SAPUI5 apps:

  • new Function()

  • <setTimeout(<non-fn>)

    This will be ignored silently and not create a timer without 'unsafe-eval', that is, <non-fn> is never executed. setTimeout(<fn>) works with and without 'unsafe-eval'.

  • setInterval(<non-fn>)

    This will be ignored silently and not create a repeated timer without 'unsafe-eval', that is, the <non-fn> is never executed. setInterval(<fn>) works with and without the 'unsafe-eval'.

Test Your Policies with Report-Only

Note:

CSP is a complex subject with many interdependencies and dynamics. Example: A CSP-compliant control or function in your app might have a dependency to a deprecated API that is not fully CSP-compliant. In this case you may need to add 'unsafe-eval' to the script-src directive. That's why it's important to test your policies to check this.

To test policies without enforcing them, set up CSP with the Content-Security-Policy-Report-Only response header and test with the most restrictive policy. Monitor the reports to add missing sources (see Directives. When you have found the desired policy, replace the Content-Security-Policy-Report-Only header with Content-Security-Policy to enforce the policy.

Directives

To run an app in an environment in which CSP has been enabled, SAPUI5 requires the following CSP directives and source entries:

Directive

Sources Required by the SAPUI5 Framework

Sources Required by the App

<source hosting SAPUI5>

(equals 'self' if SAPUI5 is hosted with the app)

data:

blob:

Other Sources

Custom Sources (Including 'self' for the App's Own Origin)

script-src

 

 

'unsafe-eval'

Required for synchronous loading of JavaScript resources.

Required for the following libraries:

  • sap.ca.ui and scaffolding framework
  • sap.makit
  • sap.me
  • sap.ui.commons
  • sap.ui.ux3
  • sap.uiext.inbox
  • sap.viz.* (deprecated part)
  • sap.zen.*

Most likely required for deprecated APIs, especially for programming model APIs, like old factories in the sap.ui namespace.

Certain libraries at least partly still require 'unsafe-eval', including the following:

  • sap.apf
  • sap.collaboration
  • sap.ovp
  • sap.suite.ui.generic.template
  • sap.rules.ui
  • sap.ui.vbm
  • sap.ushell

The above list assumes that the app runs using library preloads (recommended, see Ensure that Library Preloads are Enabled). If the application runs without preloads, more libraries require unsafe-eval.
  • Requires 'self' for loading application resources.
  • May require 'unsafe-inline' or 'unsafe-eval' depending on custom scripts.

style-src

 

 

'unsafe-inline'

Required for the following libraries:

  • sap.ca.ui and scaffolding framework
  • sap.makit
  • sap.me
  • sap.ui.richtexteditor
  • sap.ui.commons
  • sap.ui.ux3
  • sap.uiext.inbox
  • sap.viz.* (deprecated part)
  • sap.zen.*

Most likely required for deprecated APIs.

Certain libraries at least partly still require 'unsafe-inline', including:

  • sap.gantt
  • sap.rules.ui
  • sap.suite.ui.commons
  • sap.ui.vbm
  • sap.ui.vk
  • sap.ushell
  • May require 'self' and additional locations for application-specific styles and themes.
  • Requires 'unsafe-inline' for custom controls using inline styles.

img-src

May be required by some specific SAPUI5 functionality.

May be required by some specific SAPUI5 functionality.

 

May require 'self' or additional locations for application-specific images (such as custom themes or images in the back end).

font-src

May be required by some specific SAPUI5 functionality.

 

 

May require 'self' or additional locations for application-specific fonts.

frame-src

Required for using the support assistant and/or the diagnostics tool. Also required to avoid a fallback to child-src.*

May be required by some specific SAPUI5 functionality.

May be required by some specific SAPUI5 functionality.

 

May require additional locations depending on the integration, application, or test scenario.

worker-src

May be required by some specific SAPUI5 functionality.

May be required by some specific SAPUI5 functionality.

 

 

child-src**

May be required by some specific SAPUI5 functionality.

May be required by some specific SAPUI5 functionality.

 

 

connect-src

 

 

Some specific SAPUI5 functionality may require wss:.

Requires 'self' for loading application resources.

*In case child-src has been specified but no fallback for frame-src is intended, define frame-src with proper sources (could also be 'none').

**child-src is still required for browsers that don't support worker-src yet.

Specific Restrictions

The following functions and features require additional CSP source entries or have certain restrictions:

Library

Topic

Comment

script-src 'unsafe-eval'

sap.ui.support

Support Assistant - Temporary Rules

For temporary rules in the Support Assistant, dynamic code execution is essential, so it can't be removed. Support Assistant detects whether dynamic code execution is allowed and informs the user if temporary rules can be used or not.

sap.ushell

Search, App Finder, Custom Tiles

script-src 'unsafe-eval' is required for the App Finder and the rendering of custom tiles. It's also required to start the search function via a deep link.

sap.viz

VizContainer, typed charts

VizContainer and old typed charts require synchronous loading of JavaScript.

unified.shell

Factsheets, Smart Business

Factsheets and Smart Business (tiles) have not been fully adopted to run without synchronous loading yet.

script-src 'unsafe-inline'

sap.ui.richtexteditor

RichTextEditor

The following cases can cause CSP-relevant issues for inline scripts when the RichTextEditor is used:

  • If you're using one of the following plugins: linkchecker, preview
  • If you're using the tinymce.ui.Iframe widget

See also sap.ui.richtexteditor.RichTextEditor.

script-src 'wasm-eval'

sap.ui.core

Hyphenation

script-src requires wasm-eval

When native hyphenation is not available, a third-party library (Hyphenopoly) is used. This library uses WASM, which leads to CSP issues due to browser limitations. There is a fallback to asm.js, if WASM can't be used.

style-src 'unsafe-inline'

sap.m and others

Controls that display provided HTML text (for example sap.m.FormattedText and sap.ui.core.HTML)

Certain controls display provided HTML text, for example sap.m.FormattedText. If the provided text contains a style attribute or a style element with inline styles, 'unsafe-inline' is required for style-src.

It's recommended to use styling with the class attribute and external stylesheets.

sap.ui.vk

2D drawings (sap.ui.vk.svg.Viewport)

When a 2D drawing is loaded, sap.ui.vk.svg.Viewport creates an SVG document that uses inline styles to define SVG drawing elements, colors, line styles, etc.

sap.ushell

Company Logo

A console error related to the loading of the company logo is logged during startup of the SAP Fiori launchpad. Eventually, the logo is loaded as expected.

sap.viz

VizContainer, typed charts

VizContainer and old typed charts require synchronous loading of JavaScript.

unified.shell

Factsheets, Smart Business

Factsheets and Smart Business (tiles) have not been fully adopted to run without inline styles yet.