Re: [ofbiz-framework] branch trunk updated: Improved: no functional change

["jleroux@apache.org" <jl...@apache.org>]

I have finally decided to backport this (low) security issue.

It's easy to do so, better to be safe than sorry.

Jacques

Le 20/03/2020 à 10:51, jleroux@apache.org a écrit :
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
>       new b6a796c  Improved: no functional change
> b6a796c is described below
>
> commit b6a796cbdfc662459a4b52a01f0a9b67c18e7c30
> Author: Jacques Le Roux <ja...@les7arts.com>
> AuthorDate: Fri Mar 20 10:51:49 2020 +0100
>
>      Improved: no functional change
>      
>      Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl
>      Because this page is used as a HTTP 500 error it's more susceptible to
>      clickjacking
>      
>      Quoting OWASP ZAP:
>      This problem still applies to error-type pages (401, 403, 500, etc.), as these
>      pages are still often affected by injection problems, in which case it is still
>      possible that browsers may interpret pages differently from their actual content
>      type.
>      
>      I tried to work on other file types that were also reported but it's complicated
>      adn I believe it's not worth it
> ---
>   themes/common-theme/template/ErrorPage.ftl | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/themes/common-theme/template/ErrorPage.ftl b/themes/common-theme/template/ErrorPage.ftl
> index 47f7caf..9be67b0 100644
> --- a/themes/common-theme/template/ErrorPage.ftl
> +++ b/themes/common-theme/template/ErrorPage.ftl
> @@ -19,6 +19,7 @@ under the License.
>   <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>   <html>
>   <head>
> +    <meta http-equiv="Content-Security-Policy" frame-ancestors="self">
>       <title>500 Internal error</title>
>       <style>
>           body{
>