You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2020/07/15 04:44:00 UTC

[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem

    [ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17157874#comment-17157874 ] 

Jacques Le Roux commented on OFBIZ-11889:
-----------------------------------------

Hi Alex,

Thanks for your interesting patch. 

I understand your POV: a clean log in browser and I much agree with that (it's awful at the moment). But as I said already I'm against using unsafe-inline for security reason: https://content-security-policy.com/unsafe-inline/

As explained in this page it would be OK coupled with strict-dynamic. Among the "major" browsers only IE (not a major browser anymore) is not able to cope with it. We should not worry about that, IE is non longer supported (only in Windows < 8) and it's the responsability of users to take care of their own security, as main browsers and more and more sites warn you and even sometimes don't load.

So if you are up for it, let's go...

About your patch, you certainly did not use trunk HEAD to create it, but your own modified version (no unsafe-inline in trunk). Please remember to stash, pull and check before creating your patches or PRs.

Also I believe the best place for {{<request-map uri="csp-report">}} is not in webtools controller but in common-controller.

> fixes for csp-report subsystem
> ------------------------------
>
>                 Key: OFBIZ-11889
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11889
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>    Affects Versions: Release Branch 17.12, Trunk
>            Reporter: Alex Bodnaru
>            Priority: Major
>         Attachments: csp-report.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> added report-uri and unsafe-inline support for csp report.
> added handling of csp-reports and logging them as errors.
> unhandled reports are poluting the browser error console.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)