Skip to content

fix(framework): sap-ui-themeRoot block all origins by defaultTheme root disallow default #12035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 6, 2025
Merged

fix(framework): sap-ui-themeRoot block all origins by defaultTheme root disallow default #12035

merged 8 commits into from
Aug 6, 2025
+46 −8

Conversation

vladitasev
Copy link
Contributor

@vladitasev vladitasev commented Jul 29, 2025
edited
Loading

This change addresses 2 bugs:

  • validateThemeRoot not called for sap-ui-themeRoot=URL but rather just for the newer sap-ui-theme=sap_horizon@URL format
  • if no allowed domains are specified, the default should be to block all domains, not allow all, as it is currently.

Additionally:

  • sap-allowed-theme-origins is now the preferred name of the <meta tag

IMPORTANT: If you were relying on the old default behavior (setting no <meta tag allows all origins), you should explicitly add:

<meta name="sap-allowed-theme-origins" content="*">

to achieve the same results. However, we strongly advice against doing so. The best practice is to only list the trusted domains and use * as a last resort, if absolutely necessary.

@vladitasev vladitasev merged commit 8fa82da into main Aug 6, 2025
12 checks passed
@vladitasev vladitasev deleted the theme-root-disallow-default branch August 6, 2025 06:47
ilhan007 pushed a commit that referenced this pull request Aug 6, 2025
@vladitasev @ilhan007
fix(framework): sap-ui-themeRoot block all origins by defaultTheme ro…
0824f8c 
…ot disallow default (#12035)
@ui5-webcomponents-bot
Copy link
Collaborator

🎉 This PR is included in version v2.14.0-rc.0 🎉

The release is available on v2.14.0-rc.0

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nnaydenow nnaydenow nnaydenow approved these changes

@ilhan007 ilhan007 Awaiting requested review from ilhan007

@pskelin pskelin Awaiting requested review from pskelin

@MariaIDineva MariaIDineva Awaiting requested review from MariaIDineva

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vladitasev @ui5-webcomponents-bot @nnaydenow