openui5 icon indicating copy to clipboard operation
openui5 copied to clipboard
verified publisher icon SAP

Tracking prevention in Microsoft Edge blocks access to storage

Open Frank683 opened this issue 1 year ago • 1 comments

OpenUI5 version: 1.120.1

Browser/version (+device/version):

Microsoft Edge for Business Version 122.0.2365.80 (Offizielles Build) (64-Bit); PC; Windows 10

Any other tested browsers/devices(OK/FAIL):

no

URL (minimal example if possible):

Take any UI5 app loading the framework from the CDN. This app itself must not be hosted on any ondemand.com subdomain to fullfill the requirement "Blocks trackers from sites you haven't visited") as stated in the definition of the "balanced" tracking prevention level in Edge settings. Demokit is fine and doesn't trigger the blocking in EDGE because it's running on the same subdomain as the CDN sources, so take a sample in a codepen or similar to analyze it.

User/password (if required and possible - do not post any confidential information here):

Steps to reproduce the problem: 1. 2. 3.

What is the expected result?

What happens instead?

image

MS Edge with tracking prevention settings set to "balanced" blocks UI5 framework components accessing storage (local/session) because the ondemand.com domain is listed on the "Disconnect" tracker list used by EDGE to determine if something is a tracker.

Any other information? (attach screenshot if possible)

Explanation how the tracking prevention in MS Edge is deciding on what is a tracker that should be blocked.

https://learn.microsoft.com/en-us/microsoft-edge/web-platform/tracking-prevention#classification

ondemand.com being listed on the tracker list managed by Disconnect

https://github.com/disconnectme/disconnect-tracking-protection/blob/master/services.json#L554

Maybe someone should contact the organisation managing this list to get the entire ondemand.com domain off the list. If someone runs a tracking service on any subdomain they probably shouldn't be listing the TLD to avoid such false positives.

Please also let me know which impact to my application I can expect from the UI5 framework being blocked from accessing local/session storage.

Best, Frank

Frank683 avatar Mar 13 '24 13:03 Frank683

From the documentation topic Browser and Platform Support:

If your personal or your organization’s tracking prevention settings within Microsoft Edge are too strict, *hana.ondemand.com addresses are blocked. To prevent this, load OpenUI5 from https://sdk.openui5.org/.

For SAPUI5: https://ui5.sap.com/

Additionally, [*.]ondemand.com could be also added to edge://settings/privacy/trackingPreventionExceptions.

If you are an SAP customer: Cf. related KBA 3216225 - Cloud Portal, Launchpad or Work Zone not working properly on Edge browser due to Tracking Prevention blocked - SAP for Me

boghyon avatar Mar 13 '24 14:03 boghyon

Steps to reproduce:

  1. Open edge://settings/privacy in MS Edge from your personal machine and ensure that:
    1. The Tracking Prevention is set to "Balanced".
    2. ondemand.com is not in the "Exceptions" list (edge://settings/privacy/trackingPreventionExceptions).
  2. Navigate to https://jsbin.com/tidujop/edit?html,output
  3. Open the devtools (F12) and observe the console tab.
  4. Clear the console and, from the JSBin UI, click on "Run with JS".

boghyon avatar Mar 22 '24 15:03 boghyon

Hello @Frank683, Thank you for sharing this finding. I've created an internal incident DINC0103244. The status of the issue will be updated here in GitHub.

50gY avatar Mar 22 '24 15:03 50gY

Hi Frank,

SAP has updated: Short and Powerful: Convenient URLs for SAPUI5/OpenUI5 CDN to include more info on Tracking Prevention topic.

You could go with the short name for OpenUI5 to avoid additional maintenance on the browser side. https://sdk.openui5.org/ is intended to serve only OpenUI5 .

Regards, Vasil

i531029 avatar Mar 28 '24 09:03 i531029

As a workaround the short URL can be used: https://sdk.openui5.org/

i531029 avatar Apr 02 '24 12:04 i531029