You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2015/12/15 19:12:05 UTC

svn commit: r1720213 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java

Author: jleroux
Date: Tue Dec 15 18:12:05 2015
New Revision: 1720213

URL: http://svn.apache.org/viewvc?rev=1720213&view=rev
Log:
5th step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766

X-XSS-Protection

This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
FireFox has still an open bug entry and "offers" only the noscript plugin.
https://wiki.mozilla.org/Security/Features/XSS_Filter
https://bugzilla.mozilla.org/show_bug.cgi?id=528661

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1720213&r1=1720212&r2=1720213&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Tue Dec 15 18:12:05 2015
@@ -1005,10 +1005,18 @@ public class RequestHandler {
             }
         }
         
-        //The only x-vontent-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. 
+        //The only x-content-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. 
         // This also applies to Google Chrome, when downloading extensions.
         resp.addHeader("x-content-type-options", "nosniff");
         
+        // This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. 
+        // It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. 
+        // This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
+        // FireFox has still an open bug entry and "offers" only the noscript plugin
+        // https://wiki.mozilla.org/Security/Features/XSS_Filter 
+        // https://bugzilla.mozilla.org/show_bug.cgi?id=528661
+        resp.addHeader("X-XSS-Protection","1; mode=block"); 
+        
         String setCookie = resp.getHeader("set-cookie");
         if (UtilValidate.isNotEmpty(setCookie)) {
             setCookie = setCookie.toLowerCase();