The "Browser Settings" section from the "Site Settings" page of the launchpad in SAP Build Work Zone has now enabled the "Asynchronous Module Loading" by default for new sites since May 16th 2024.
When enabled, some of the SAPUI5 applications or FLP plugins fail to start. The browser reports in the console:
Failed to execute '<JavaScript module>.js': Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:
"script-scr * data: blob:"
.
How is the CSP topic related to the launchpad's "Asynchronous Module Loading" setting? What can I adapt in my existing SAPUI5 code to make it conform to the CSP enforced by SAP?
If the "Asynchronous Module Loading" is activated, not only does SAP Fiori launchpad (FLP) bootstrap SAPUI5 with data-sap-ui-async="true"
but serves also its HTML document with the content-security-policy
(CSP) response header that contains a set of CSP directives omitting unsafe-eval
and unsafe-inline
from script-src
. UI5 contents, that cause calling eval
or contain inline scripts, violate the CSP and therefore won't be processed by the browser.
In the legacy UI5 code, eval
is called typically due to JS modules being synchronously fetched via deprecated APIs (Internally requireSync
or loadSyncXHR
). The response text has to be then processed by eval
in order to evaluate the JS code string at runtime which poses a security threat.
It is highly recommended to keep the "Asynchronous Module Loading" setting enabled which improves the overall UI5 performance (Less blocked main thread) and the security (Stricter CSP).
UI5 has already deprecated legacy/synchronous APIs and — with the 1.96 release — largely improved the support for strict CSP. For more detailed information about the current state of CSP in UI5 and which restrictions there are, see the documentation topic Content Security Policy in addition to following the topic Best Practices for Developers.
The table below summarizes all documented best practices on making UI5 more CSP-compliant.
❌ UI5 content violating CSP |
✅ Making UI5 content more CSP-compliant |
---|---|
Application's initial HTML document bootstrapping UI5 without data-sap-ui-async="true" or with the debug mode activated. |
Ensure that UI5 bootstraps with data-sap-ui-async="true" and that no debug mode is activated unnecessarily. |
Defining styles and scripts inline:
|
Comply with the style-src and script-src directives that exclude unsafe-inline by defining:
|
Using deprecated APIs and libs such asjQuery.sap.* , Core#loadLibrary , Core#createComponent , sap.ui.component , sap.ui.*view , sap.ui.controller , sap.ui.*fragment , sap.ui.extensionpoint , sap.ui.commons , sap.ca.scfld.md , sap.ca.ui , sap.ui.suite , sap.landvisz , sap.ui.vtm , sap.zen.* , sap.ui.ux3 , sap.makit , sap.ui.model.odata.ODataModel , sap.ushell.Container.getService , etc. and/or fetching resources still synchronously despite using non-deprecated APIs. |
Review the reports by UI5 linter and console logs. You might have to increase the log level e.g. via the URL parameter Note: Some APIs are only partially deprecated. UI5 linter can help detect the use of deprecated options. |
Accessing module exports via global names:Also in XML definitions:
|
Address modules only via:
See Best Practices for Loading Modules on how to access modules in JS. For XML: Require Modules in XML View and Fragment and Handling Events in XML Views. |
Creating the component content such as the root view, routed views, and nested views synchronously at runtime despite having them defined declaratively. | Add the marker interface "sap.ui.core.IAsyncContentCreation" to the Component.js definition to enable creating the component content asynchronously and other benefits. |
Renderer of certain controls being fetched synchronously. | Require the renderer module and assign it to the renderer in the control definition.
|
In library development, having dependencies incorrectly maintained in:
* If a list of library |
In accordance with the Only eager dependencies in
Eager+lazy dependencies in The generated manifest.json should then contain the correct /sap.ui5/dependencies/libs . |
Bundles such as
During the build time, UI5 Tooling logs a warning: Module [...] requires top level scope and can only be embedded as a string (requires 'eval') Or an error since Module [...] requires top level scope and can only be embedded as a string (requires 'eval'), which is not supported with specVersion 4.0 and higher. |
JS module definitions in the generated preload bundles must not result in string. If the project still relies on Grunt: migrate to SAP Fiori tools / UI5 Tooling and keep your development toolchain up-to-date. Older SAP Fiori tools versions include When defining a module, do not include any global declaration such as
|
eval
calls when addressing UI5 modules at runtime?csp
ui5 build --all
or ui5 build self-contained -a
.dist
folder (Refer to SAP/ui5-tooling issue #300).ui5 serve --config ui5-dist.yaml
.index.html?sap-ui-xx-csp-policy=sap-target-level-<1 to 3>:report-only
sap-target-level-<n>
, the stricter the CSP.:report-only
if the browser should actually apply the CSP level.⚠️ Currently doesn't work in combination with the custom middleware ui5-middleware-index
.
F12 → F1 → Select the "Show CSP Violations view" checkbox from the Experiments section.
If the CSP violation is found in the code maintained by SAP, reach out to support to raise the issue.