You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2018/05/27 07:32:00 UTC

[jira] [Updated] (OFBIZ-10417) Create a Content Security Policy

     [ https://issues.apache.org/jira/browse/OFBIZ-10417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-10417:
------------------------------------
    Description: 
At OFBIZ-6766 I have added a Content Security Policy

To not block anything for the moment I have committed an only report policy using the Content-Security-Policy-Report-Only header.

The idea is that we can look at the issues using browsers tools.
The next step is to report the errors (when there will not be too much) in the log using a report-uri
And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever).
If we encounter performance issues, or other disagrements, we can even  we can comment out the current Content-Security-Policy-Report-Only 

Sincerely I think it will be let as is and we will let users decide on their own CSP... So the report only is just a reminder...

  was:
At OFBIZ-6766 I have added a Content Security Policy

To not block anything for the moment I have committed an only report policy using the Content-Security-Policy-Report-Only header.

The idea is that we can look at the issues using browsers tools.
The next step is to report the errors (when there will not be too much) in the log using a report-uri
And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever).
If we encounter performance issues, or other disagrements, we can even  we can comment out the current Content-Security-Policy-Report-Only 


> Create a Content Security Policy
> --------------------------------
>
>                 Key: OFBIZ-10417
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10417
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework
>            Reporter: Jacques Le Roux
>            Priority: Minor
>
> At OFBIZ-6766 I have added a Content Security Policy
> To not block anything for the moment I have committed an only report policy using the Content-Security-Policy-Report-Only header.
> The idea is that we can look at the issues using browsers tools.
> The next step is to report the errors (when there will not be too much) in the log using a report-uri
> And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever).
> If we encounter performance issues, or other disagrements, we can even  we can comment out the current Content-Security-Policy-Report-Only 
> Sincerely I think it will be let as is and we will let users decide on their own CSP... So the report only is just a reminder...



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)