Closed Frank683 closed 3 months ago
From the documentation topic Browser and Platform Support:
If your personal or your organization’s tracking prevention settings within Microsoft Edge are too strict,
*hana.ondemand.com
addresses are blocked. To prevent this, load OpenUI5 fromhttps://sdk.openui5.org/
.
For SAPUI5: https://ui5.sap.com/
Additionally, [*.]ondemand.com
could be also added to edge://settings/privacy/trackingPreventionExceptions
.
If you are an SAP customer: Cf. related KBA 3216225 - Cloud Portal, Launchpad or Work Zone not working properly on Edge browser due to Tracking Prevention blocked - SAP for Me
Steps to reproduce:
edge://settings/privacy
in MS Edge from your personal machine and ensure that:
ondemand.com
is not in the "Exceptions" list (edge://settings/privacy/trackingPreventionExceptions
).Hello @Frank683, Thank you for sharing this finding. I've created an internal incident DINC0103244. The status of the issue will be updated here in GitHub.
Hi Frank,
SAP has updated: Short and Powerful: Convenient URLs for SAPUI5/OpenUI5 CDN to include more info on Tracking Prevention topic.
You could go with the short name for OpenUI5 to avoid additional maintenance on the browser side. https://sdk.openui5.org/ is intended to serve only OpenUI5 .
Regards, Vasil
As a workaround the short URL can be used: https://sdk.openui5.org/
OpenUI5 version: 1.120.1
Browser/version (+device/version):
Microsoft Edge for Business Version 122.0.2365.80 (Offizielles Build) (64-Bit); PC; Windows 10
Any other tested browsers/devices(OK/FAIL):
no
URL (minimal example if possible):
Take any UI5 app loading the framework from the CDN. This app itself must not be hosted on any ondemand.com subdomain to fullfill the requirement "Blocks trackers from sites you haven't visited") as stated in the definition of the "balanced" tracking prevention level in Edge settings. Demokit is fine and doesn't trigger the blocking in EDGE because it's running on the same subdomain as the CDN sources, so take a sample in a codepen or similar to analyze it.
User/password (if required and possible - do not post any confidential information here):
Steps to reproduce the problem: 1. 2. 3.
What is the expected result?
What happens instead?
MS Edge with tracking prevention settings set to "balanced" blocks UI5 framework components accessing storage (local/session) because the ondemand.com domain is listed on the "Disconnect" tracker list used by EDGE to determine if something is a tracker.
Any other information? (attach screenshot if possible)
Explanation how the tracking prevention in MS Edge is deciding on what is a tracker that should be blocked.
https://learn.microsoft.com/en-us/microsoft-edge/web-platform/tracking-prevention#classification
ondemand.com being listed on the tracker list managed by Disconnect
https://github.com/disconnectme/disconnect-tracking-protection/blob/master/services.json#L554
Maybe someone should contact the organisation managing this list to get the entire ondemand.com domain off the list. If someone runs a tracking service on any subdomain they probably shouldn't be listing the TLD to avoid such false positives.
Please also let me know which impact to my application I can expect from the UI5 framework being blocked from accessing local/session storage.
Best, Frank