Server security comprises topics such as cross-origin resource sharing and resource handlers.
SAPUI5 contains only a small server-side part to support loading of resources by the client framework. The use of the resource handlers is not mandatory, SAPUI5 also offers a static version of the libraries, which can be used with an arbitrary HTTP server.
Usually the XMLHttpRequest for security reasons does only allow accessing resources from the same domain as the originating document. As there are a lot of web-based services available today, starting with RSS or Atom feeds, WebServices or OData services, there is a need to be able to also access data sources from different domains within the browser, which was addressed with the CORS (Cross-Origin Resource Sharing) standard. This allows the server to set special headers on their responses, which are telling the XMLHttpRequest object, whether it is allowed to process the requested data or not.
This CORS capability also plays an important role in SAPUI5 based applications. In case the application itself and the data visualized are coming from different servers, the CORS header has to be configured correctly on the data providing server, to allow the application server domain to access the data.
SAPUI5 is using CORS header on its CDN based library to be able to load additional scripts, styles, and resources from the CDN server.
The resource handler for ABAP is used to serve the resources from the MIME repository.
The resource handler for application resources for ABAP, NW 7.x is used to serve the resources from the SAPUI5 repository based on BSP repository.