sapui5content-security-policyamdsap-fioriui5-tooling

How to Fix "String as JavaScript" Errors in FLP? (Async Module Loading)

The "Browser Settings" section from the "Site Settings" page of the launchpad in SAP Build Work Zone has now enabled the "Asynchronous Module Loading" by default for new sites since May 16th 2024.

SAP Fiori launchpad Asynchronous Module Loading switch

When enabled, some of the SAPUI5 applications or FLP plugins fail to start. The browser reports in the console:

Failed to execute '<JavaScript module>.js': Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-scr * data: blob:".

How is the CSP topic related to the Fiori launchpad's "Asynchronous Module Loading" setting in this case and what can we do to avoid evaluating "string as JavaScript" in UI5? How can I make my UI5 content compatible with the launchpad site CSP defined by SAP?

Solution

  • Cause

    If "Asynchronous Module Loading" is activated, not only does SAP Fiori launchpad (FLP) bootstrap SAPUI5 with data-sap-ui-async="true" but serves also its HTML document with the content-security-policy (CSP) response header that contains a set of CSP directives omitting unsafe-eval and unsafe-inline from script-src. UI5 contents, that initiate calling eval or contain inline scripts, violate the CSP and thus won't be processed by the browser.

    In the legacy UI5 code, eval is called typically due to JS modules being synchronously fetched via deprecated APIs (Internally requireSync or loadSyncXHR). The response text has to be then processed by eval in order to evaluate the JS code out of string. In UI5 2.0, most APIs that had been deprecated previously are finally removed.

    For more detailed information about the current state of CSP in UI5 and which restrictions there are, see the documentation topic Content Security Policy in addition to following the topic Best Practices for Developers.

    The table below summarizes all documented best practices for making UI5 CSP-compliant.

    Resolution

    It is highly recommended to keep the "Asynchronous Module Loading" setting enabled which improves the overall UI5 performance in FLP (unblocked main thread) and security (stricter CSP).

    UI5 has already deprecated legacy/synchronous APIs and — with the 1.96 release — largely improved the support for strict CSP. UI5 content owners should adjust their code accordingly:

    ❌ UI5 content violating CSP ✅ Making UI5 content more CSP-compliant
    Application's initial HTML document bootstrapping SAPUI5 without data-sap-ui-async="true" or with the debug mode activated. Bootstrap UI5 with data-sap-ui-async="true" and ensure that no debug mode is activated unnecessarily. C.f. "Is Your Application Ready for Asynchronous Loading?"
    Defining styles and scripts inline:
    • <style>/*...*/</style>
    • <div style="..."></div>
    • <script>/*...*/</script>
    		 Comply with the style-src and script-src directives that exclude unsafe-inline by defining:
    • Style in a separate .css file.
    • Script in a separate file.

      <script src="..." ...></script>
      <script id="sap-ui-bootstrap"
        data-sap-ui-onInit="module:..."
      e.g. sap/ui/core/ComponentSupport.
    Using deprecated APIs and libs such as
    jQuery.sap.*, Core#loadLibrary, Core#createComponent, sap.ui.component, sap.ui.*view, sap.ui.controller, sap.ui.*fragment, sap.ui.extensionpoint, sap.ui.commons, sap.ca.scfld, sap.ca.ui, sap.ui.suite, sap.landvisz, sap.ui.vtm, sap.zen.*, sap.ui.ux3, sap.makit, sap.ui.model.odata.ODataModel, sap.ushell.Container.getService, etc..

    Refer to the API reference and the reports logged in the browser console to learn about newer APIs that replace the deprecated ones.

    Use the UI5 linter additionally to detect deprecated APIs and other issues in the project.
    Accessing module exports via global names:
    sap.m.MessageBox.show(/*...*/);
    Or modules from a library export:
    new myRequiredLib.SomeControl();
    		 Address modules only via:
    • sap.ui.define when defining a module as part of its dependency list.
    • sap.ui.require when simply requiring an existing module on-demand.

    Those above APIs and sap.ui.loader.config are the only allowed sap.* uses.

    See also Best Practices for Loading Modules and Troubleshooting for Loading Modules.
    Creating the component content such as the root view, routed views, and nested views synchronously at runtime despite having them defined declaratively. Add the marker interface "sap.ui.core.IAsyncContentCreation" to the Component.js definition to enable creating the component content asynchronously and other benefits.
    Renderer of certain controls being fetched synchronously Require the renderer module and assign it to the renderer in the control definition.
    Control.extend("demo.MyControl", {
      metadata: {/*...*/},
      renderer: MyRequiredRenderer
    });
    Fetching resources still synchronously or indirectly referencing modules via global names despite using non-deprecated APIs. Review the API reference, reports by the UI5 linter, and the console logs. You might have to increase the log level e.g. via the URL parameter sap-ui-logLevel=... to see the relevant logs.

    UI5 bundles such as Component-preload.js or library-preload.js containing JS modules that are in string. For example, due to the bundle having been generated via outdated Grunt build task. Result:

    "my/Module.js":'sap.ui.define([...'

    Even with UI5 Tooling, some JS modules can be still generated into string if their definition contains global declarations outside of sap.ui.define such as var, let, const, or function. Result:

    "my/Module.js":'var myGlobal...'

    During the build time, UI5 Tooling logs a warning:

    Module [...] requires top level scope and can only be embedded as a string (requires 'eval')

    Or an error since specVersion 4 or higher:

    Module [...] requires top level scope and can only be embedded as a string (requires 'eval'), which is not supported with specVersion 4.0 and higher.

    Keep your development toolchain up-to-date. If the project is still relying on Grunt, migrate to SAP Fiori tools or UI5 Tooling. Older Fiori tools versions include utils/locate-reuse-lib.js which should be excluded from the deployment chain.

    When defining a module, do not include any global declaration such as var, let, const, and function outside of sap.ui.define.

    If the module has to depend on a global:

    • Replace e.g. var myGlobal with globalThis.myGlobal, wrap the module definition in an IIFE, or export the global as a separate module that can be required.
    • Some third party libraries, such as SheetJS, have to define a variable globally or must be exempted from being modified due to license reasons. In such cases, exclude the third party libraries from the bundle (Sample).
    • In UI5 library development, one can also set requiresTopLevelScope="false" to the affected raw-module in .library.

    Related Q&As

    Other resources that might help identifying CSP issues in UI5

    UI5 Tooling middleware csp

    1. Build the app e.g. with ui5 build --all or ui5 build self-contained -a.
    2. Serve the built app from the dist folder (Refer to SAP/ui5-tooling issue #300).
      E.g. with ui5 serve --config ui5-dist.yaml.
    3. Run the app with the following URL parameter:
      index.html?sap-ui-xx-csp-policy=sap-target-level-<1 to 3>:report-only
      • The higher sap-target-level-<n>, the stricter the CSP.
      • Remove :report-only if the browser should actually apply the CSP level.
    4. Observe any CSP violation reported in the browser console.

    ⚠️ Currently doesn't work in combination with the custom middleware ui5-middleware-index.

    Chrome DevTools

    F12F1 → Select the "Show CSP Violations view" checkbox from the Experiments section.