openui5
openui5 copied to clipboard
SAP
`sap.m.ColorPalettePopover` violates `unsafe-eval` CSP
OpenUI5 version: 1.108
Browser/version (+device/version): CR latest
Steps to reproduce the problem:
- Remove
unsafe-evalfrom CSP header on the server - Open DEV tools
- Click on the 'more colors' button of the
sap.m.ColorPalettePopover
What is the expected result? Control should work as normal
What happens instead? The popover does not open
Any other information? (attach screenshot if possible)
Error trace:
i === 'sap.m.Slider':
Hello @dfenerski ,
Please send us link with isolated example with the issue.
Best Regards, Lidiya
@dfenerski How are you serving the app? Is the app built, deployed, and launched from FLP? Does https://stackoverflow.com/a/74959324/5846045 help?
Thanks for reaching out @boghyon! The app is built & minified, so CSP usually works. It is however served trough Express.js, so FLP settings do not apply for me.
I am somewhat sure the issue is caused by the inline import of sap.m.Slider here. I've managed to overcome the issue by extending the predefined control & defining the dependency manually in sap.ui.require and therefore removing the sync import.
Providing reproducible sample would require creating a dedicated code sandbox with express.js + openui5 skeleton, which I haven't found the time to do.
The tips you've listed in the stackoverflow table provide great insight regarding overall CSP guidelines. The point with sap.ui.core.IAsyncContentCreation is totally new for me - I have to research this one a bit.
Hello @dfenerski, Thank you for sharing this finding. The issue is internally tracked with the Change-Id I713b517444b900847ce80fd9b37a5a9fbe709c34. The status of the issue will be updated here in GitHub.
