3637440 - How to mitigate "Overly Permissive CORS Policy" in HTML5 applications from SAP CDN

User creates an HTML5 or UI5 application which consumes from the SAPUI5 CDN (Content Delivery Network) and deployed it into any the BTP Cockpit.

SAP Third Party Audit against HTML5 or UI5 designed application with the following descriptions: 

Risk: A domain includes a list of domains that can make cross domain requests to shared resources in Access-Control-Allow-Origin header. This header can have either list of domains or a wildcard character (“*”) to allow all access. Having a wildcard is considered overly permissive policy.

Impact: An overly permissive CORS policy can allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay, and other attacks. It can open possibilities for entire domain compromise.

Misconfigured Access-Control-Allow-Origin header. This header allows the defined third party to access a given resource. 

• • • Flagged URL audits against the following:
      <SAPUI5 available host>/resources/sap-ui5-core.js
      with the response header
      Access-Control-Allow-Origin: *

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP Business Technology Platform: NEO and Cloud Foundry Environment.

CORS, cross-origin resource sharing, overly permissive policy, wildcard Access-Control-Allow-Origin, SAPUI5 CDN, security vulnerability, Access-Control-Allow-Origin header, SAP Fiori Cloud, Launchpad Site, static assets, cross-domain requests, SAPUI5 framework, *, restrictions, response header, sensitive business data, HTML5, CSS, Javascript, UI5 application, images, fonts, ensure, cross domain, multiple, source,  , KBA , BC-CP-CF-HTML5 , HTML5 Application Repository Service , BC-NEO-RT-HTML5 , Runtime HTML5 Applications , Problem