Skip to Content

HANA XSA CORS Setting for SAPUI5 Application

Hi all,

i have the following situation. I want to use the new Fiori Launchpad Service which i had managed to deploy. Moreover i created standalone SAPUI5 applications which are also deployed on XSA. Now i want to add these application to the Fiori Launchpad Service by adding them in the site-content.json. However i get the following error message:

I know this error occurs due to the CORS security policy of the browser.

Somebody know how to set up the CORS settings? Maybe via the router configuration? I have to give back in the response header the "Access-Control-Allow-Origin" for the Fiori Launchpad.

Best regards,

Manjinder Singh

untitled.png (4.6 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • May 14, 2018 at 08:49 PM

    Have a look at the readme of the @sap/approuter module:


    The CORS keyword enables you to provide support for cross-origin requests, for example, by allowing the modification of the request header. Cross-origin resource sharing (CORS) permits Web pages from other domains to make HTTP requests to your application domain, where normally such requests would automatically be refused by the Web browser's security policy. Cross-origin resource sharing(CORS) is a mechanism that allows restricted resources on a webpage to be requested from another domain (/protocol/port) outside the domain (/protocol/port) from which the first resource was served. CORS configuration enables you to define details to control access to your application resource from other Web browsers. For example, you can specify where requests can originate from or what is allowed in the request and response headers.

    The Cross-Origin configuration is provided in the CORS environment variable.

    The CORS configuration is an array of objects. Here are the properties that a CORS object can have:

    PropertyTypeOptionalDescriptionuriPatternStringA regular expression representing for which source routes CORS configuration is applicable. To ensure the RegExp matches the complete path, surround it with ^ and $. Defaults: none.allowedOriginArrayA comma-separated list of objects that each one of them containing host name, port and protocol that are allowed by the server.for example: [{“host”: ""}] or [{“host”: “”}]. Note: matching is case-sensitive. In addition, if port or protocol are not specified the default is “__”.Defaults: none.allowedMethodsArray of upper-case HTTP methodsxComma-separated list of HTTP methods that are allowed by the server. Defaults: [“GET”, “POST”, “HEAD”, “OPTIONS”] (all) applies. Note:matching is case-sensitive.maxAgeNumberxA single value specifying how long, in seconds, a preflight response should be cached. A negative value will prevent CORS Filter from adding this response header to pre-flight response. Defaults: 1800.allowedHeadersArray of headersxComma-separated list of request headers that are allowed by the serve. Defaults: [“Origin”, “Accept”, “X-Requested-With”, “Content-Type”, “Access-Control-Request-Method”, “Access-Control-Request-Headers”].exposeHeadersArray of headersxComma-separated list of response headers (other than simple headers) that can be exposed. Defaults: none.allowedCredentialsBooleanxA flag that indicates whether the resource supports user credentials. Defaults: true.

    Add comment
    10|10000 characters needed characters exceeded