UI5应用安全建议
UI5 application security advice
在 OpenUI5 文档中是 written:
Now, we create a new index.js script that will contain the application logic for this tutorial step. We do this to avoid having executable code directly in the HTML file for security reasons. This script will be called by the index.html. We defined it there as a module in a declarative way.
换句话说,OpenUI5官方文档建议提取如下代码:
<script>
"use strict";
sap.ui.getCore().attachInit(function () {
new sap.m.Shell("", {
appWidthLimited: false,
app: new sap.ui.core.ComponentContainer("", {
name: "webapp",
height: "100%"
})
}).placeAt("content");
});
</script>
到一个单独的 JS 文件中:
"use strict";
sap.ui.getCore().attachInit(() => {
new sap.m.Shell("", {
app: new sap.ui.core.ComponentContainer("", {
height: "100%",
name: "webapp"
}),
appWidthLimited: false
}).placeAt("content");
});
我很想知道从 HTML 页面中提取 JS 代码到一个单独的 JS 文件中如何有助于 UI5 应用程序安全?
好像在UI5-documentation里面有额外的解释:
It's strongly recommended that you make your OpenUI5 applications CSP compliant — after all, you want your apps to be secure. The main thing you have to do is to remove all scripts that directly execute code from your HTML pages.
Don't use directly executable code in your HTML files, because this makes them vulnerable. Instead, enable the ComponentSupport module in the bootstrapping script. Then, declare your desired component in the body via a div tag. This will instantiate the component when the onInit is executed.
有关内容安全策略 (CSP) 和 hand-on 示例的更多详细信息:
在 OpenUI5 文档中是 written:
Now, we create a new
index.jsscript that will contain the application logic for this tutorial step. We do this to avoid having executable code directly in the HTML file for security reasons. This script will be called by theindex.html. We defined it there as a module in a declarative way.
换句话说,OpenUI5官方文档建议提取如下代码:
<script>
"use strict";
sap.ui.getCore().attachInit(function () {
new sap.m.Shell("", {
appWidthLimited: false,
app: new sap.ui.core.ComponentContainer("", {
name: "webapp",
height: "100%"
})
}).placeAt("content");
});
</script>
到一个单独的 JS 文件中:
"use strict";
sap.ui.getCore().attachInit(() => {
new sap.m.Shell("", {
app: new sap.ui.core.ComponentContainer("", {
height: "100%",
name: "webapp"
}),
appWidthLimited: false
}).placeAt("content");
});
我很想知道从 HTML 页面中提取 JS 代码到一个单独的 JS 文件中如何有助于 UI5 应用程序安全?
好像在UI5-documentation里面有额外的解释:
It's strongly recommended that you make your OpenUI5 applications CSP compliant — after all, you want your apps to be secure. The main thing you have to do is to remove all scripts that directly execute code from your HTML pages.
Don't use directly executable code in your HTML files, because this makes them vulnerable. Instead, enable the
ComponentSupportmodule in the bootstrapping script. Then, declare your desired component in the body via adivtag. This will instantiate the component when theonInitis executed.
有关内容安全策略 (CSP) 和 hand-on 示例的更多详细信息: