Feature Request Description
The UI5 Web Components library currently supports three configuration methods (Configuration Documentation):
- Configuration Script -
<script data-ui5-config type="application/json">
- Module Imports - JavaScript API like
setTheme(), setLanguage()
- URL Parameters - Query strings like
?sap-ui-theme=mytheme or ?sap-ui-language=de
While URL parameters are useful for development and testing scenarios, production applications require the ability to disable or restrict URL parameter processing to strengthen their security posture.
Current Behavior:
URL Parameters Currently Processed:
According to the code in InitialConfiguration.ts, the framework processes any parameter starting with:
sap-ui-* (e.g., sap-ui-theme, sap-ui-language, sap-ui-animationMode, etc.)sap-* (e.g., sap-theme, sap-language, etc.)
These parameters can override any configuration setting, including:
theme / themeRoot - Most critical from security perspectivelanguage, animationMode, calendarType, timezonenoConflict, formatSettings, etc.
Security and Production Concerns:
- Attack Surface Reduction: URL parameters are user-controlled input that can be manipulated through phishing links, browser history, or social engineering
- Configuration Priority Inversion: URL parameters have the highest priority (overriding script configuration), making them impossible to control in production
- Unexpected Behavior: Production applications may be unintentionally affected by URL parameters added during testing or debugging
- Multi-Bundle Scenarios: When multiple versions of the library are included on a page, consistent hardening requires a globally-accessible configuration mechanism
- Compliance Requirements: Some enterprise applications require explicit control over all external data sources, including URL parameters
Proposed Solution
Add a configuration mechanism to control URL parameter processing, following the existing configuration script pattern used by the framework.
Configuration Script Approach (Follows Existing Pattern)
Extend the existing data-ui5-config script to include URL parameter control:
<script data-ui5-config type="application/json">
{
"ignoreUrlParams": true
}
</script>Advantages:
- Consistent with existing configuration method (same as
theme, language, animationMode, etc.)
- Declarative and visible in HTML source
- Processed early during initialization (same as other config settings)
- Works across multiple bundle instances (single source of truth in DOM)
- Already has parsing and error handling infrastructure in place
Granular Control (Optional Enhancement)
For advanced scenarios, allow selective control over specific parameters via the configuration script:
<script data-ui5-config type="application/json">
{
"urlParams": {
"ignore": ["theme", "themeRoot"],
"allow": ["language"]
}
}
</script>Or use a simpler array format to block specific parameters:
<script data-ui5-config type="application/json">
{
"blockedUrlParams": ["theme", "themeRoot", "animationMode"]
}
</script>Implementation Location
- Check configuration in
parseURLParameters() before processing any parameters
- Read from the same
initialConfig object populated by parseConfigurationScript()
- Process this setting before the URL parameter loop begins
Example Implementation
const shouldProcessURLParameters = () => {
// This would be set during parseConfigurationScript()
// from the data-ui5-config script tag
if (initialConfig.ignoreUrlParams === true) {
return false;
}
return true; // Default: process URL parameters (backward compatible)
};
const parseURLParameters = () => {
if (!shouldProcessURLParameters()) {
return; // Skip URL parameter processing
}
const params = new URLSearchParams(getLocationSearch());
// ... existing implementation for processing parameters
};Configuration Priority
Following the existing initialization order in resetConfiguration():
- Configuration script is parsed first (includes the new
ignoreUrlParams setting)
- URL parameters would be skipped if
ignoreUrlParams: true
- OpenUI5 configuration (if detected) would still apply
This maintains the existing priority model while allowing applications to opt-out of URL parameter processing.
Proposed Alternatives
No response
Organization
SuccessFactors
Additional Context
Use Case: SAP SuccessFactors applications include UI5 Web Components and want to ensure that production pages cannot be affected by URL parameter manipulation. These applications serve millions of users and require robust security controls.
Business Impact:
- Security Hardening: Reduces attack surface by eliminating user-controlled configuration vectors
- Predictability: Ensures production behavior is consistent and cannot be altered through URL manipulation
- Compliance: Meets enterprise security requirements for controlling external input sources
- Testing Safety: Prevents testing parameters from accidentally affecting production environments
Backward Compatibility: The proposed solution maintains full backward compatibility by defaulting to current behavior (URL parameters enabled). Applications must explicitly opt-in to disable URL parameter processing.
Related Issues/Commits:
Priority
High
Privacy Policy
Feature Request Description
The UI5 Web Components library currently supports three configuration methods (Configuration Documentation):
<script data-ui5-config type="application/json">setTheme(),setLanguage()?sap-ui-theme=mythemeor?sap-ui-language=deWhile URL parameters are useful for development and testing scenarios, production applications require the ability to disable or restrict URL parameter processing to strengthen their security posture.
Current Behavior:
parseURLParameters()inInitialConfiguration.ts)?sap-ui-theme=mytheme@https://external.com/can modify theme roots (Theming Documentation)URL Parameters Currently Processed:
According to the code in
InitialConfiguration.ts, the framework processes any parameter starting with:sap-ui-*(e.g.,sap-ui-theme,sap-ui-language,sap-ui-animationMode, etc.)sap-*(e.g.,sap-theme,sap-language, etc.)These parameters can override any configuration setting, including:
theme/themeRoot- Most critical from security perspectivelanguage,animationMode,calendarType,timezonenoConflict,formatSettings, etc.Security and Production Concerns:
Proposed Solution
Add a configuration mechanism to control URL parameter processing, following the existing configuration script pattern used by the framework.
Configuration Script Approach (Follows Existing Pattern)
Extend the existing
data-ui5-configscript to include URL parameter control:Advantages:
theme,language,animationMode, etc.)Granular Control (Optional Enhancement)
For advanced scenarios, allow selective control over specific parameters via the configuration script:
Or use a simpler array format to block specific parameters:
Implementation Location
parseURLParameters()before processing any parametersinitialConfigobject populated byparseConfigurationScript()Example Implementation
Configuration Priority
Following the existing initialization order in
resetConfiguration():ignoreUrlParamssetting)ignoreUrlParams: trueThis maintains the existing priority model while allowing applications to opt-out of URL parameter processing.
Proposed Alternatives
No response
Organization
SuccessFactors
Additional Context
Use Case: SAP SuccessFactors applications include UI5 Web Components and want to ensure that production pages cannot be affected by URL parameter manipulation. These applications serve millions of users and require robust security controls.
Business Impact:
Backward Compatibility: The proposed solution maintains full backward compatibility by defaulting to current behavior (URL parameters enabled). Applications must explicitly opt-in to disable URL parameter processing.
Related Issues/Commits:
Priority
High
Privacy Policy