Show TOC

Security Aspects for Standalone ApplicationsLocate this document in the navigation structure

In the default configuration, standalone applications can only be run from a restricted number of folders. You can change this default behavior.

In the default configuration shipped by SAP, standalone applications can only be run if they originate from the following folders:

  • /sap/bc/ui5_ui5/
  • /sap/bc/ui5_demokit/test-resources/sap/ushell/demoapps/

If you would like to run standalone applications from other locations, or if you would like further restrict the number of allowed folders, or disable standalone applications completely, you can change this configuration using a launchpad configuration file.

Example:

"services" : {
	"NavTargetResolution" : {
		"config" : {
			"runStandaloneAppFolderWhitelist" : {
				"/sap/bc/ui5_ui5" : true,
				"/sap/bc/ui5_demokit/test-resources/sap/ushell/demoapps/" : true
			}
		}
	}
}
Same-Origin Policy

If you embed standalone applications in an Enterprise Portal or another UI using an iFrame, we recommend to run both the Enterprise Portal (or other UI) and the SAP Fiori launchpad behind a reverse proxy, for example SAP Web Dispatcher. This makes both systems appear to web browsers as being served by the same host, to avoid any issues with web browsers' same-origin policy.

If this is not possible and you prefer to relax click-jacking protection for the SAP Fiori launchpad, see SAP note 2057847 Information published on SAP site.

Related Information