Skip to Content
Author's profile photo Jan Schober

Chrome, localhost and CSRF

Hi all,

I’d like to share some experience, building and debugging SAP UI5 Apps against SMP and finally hitting an SAP Netweaver Gateway.

I really like Google’s Chrome browser for debugging HTML5 apps as it comes with the nice JavaScript Console giving you all kinds of information during runtime.

So I was building an app using AppBuilder which would create a SalesOrder in the Gateway System.

As we all know, to do modifying requests (like a creation) it is required to overcome the Cross-Site Request Forgery Protection, so we have to fetch an X-CSRF-TOKEN and send it along with the modifiying request.

As some might not know, with Netweaver Gateway you also receive and have to provide a cookie called sap-XSRF_<SID>_<client> (for more information see

As mentioned before, I worked with AppBuilder with a development SMP server, running on the same box. AppBuilder obviously running in Google Chrome to be able to debug. So what happened was, whenever I tried POSTing the SalesOrder I received an “CSRF Token validation failed” error – although I had fetched it before and I could even see the token as well as the cookie being received in the debugger. Strangely enough the token arrived at Gateway – I could see that in the trace – but the cookie never did.

At first I thought SMP might be tempering with the cookie being kind of the hop in the middle. But further debugging proved it was not the case, the cookie actually never arrived at SMP either.

So it had to be the UI5 app, I thought. But suspecting the UI5 framework or my coding also proved wrong, as I was successfully able to do the POST when hitting the Gateway directly.

Finally, there was one piece left in the equation, which is Chrome itself providing the runtime for my app. After some research, I found this nice little thread on the Internet, basically saying “You can only set domain cookies for registry controlled domains, i.e. something ending in .com or so, but not IPs or intranet hostnames like localhost”

It suddenly dawned on me: AppBuilder and SMP were running on the same box, so I had used localhost for configuring the connection between AppBuilder and SMP!

I changed that to its full qualified domain name – et voilà SalesOrder creation worked!

Bottom line: Don’t use localhost or IP addresses as a link if you are working in Chrome – you might experience some strange behavior!

PS: If your development machine doesn’t have a full qualified domain name, just add a line in your hosts-file, saying something like and use that as your hostname.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Martin Grasshoff
      Martin Grasshoff

      Hi Jan.

      Good that you ran into this and not me 😉

      And as usual you managed to solve even the most obscure issues.

      Great work.