You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jason Hao (JIRA)" <ji...@apache.org> on 2018/06/01 16:48:00 UTC
[jira] [Comment Edited] (OFBIZ-10417) Create a Content Security
Policy
[ https://issues.apache.org/jira/browse/OFBIZ-10417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16498142#comment-16498142 ]
Jason Hao edited comment on OFBIZ-10417 at 6/1/18 4:47 PM:
-----------------------------------------------------------
Due to this issue, mostly the ecommerce website doesn't work.
to make the ecommerce store to work temporarily comment the line below
org.apache.ofbiz.webapp.control.RequestHandler
Line 990
// resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'");
was (Author: nk_smallbee):
Due to this issue, mostly the ecommerce website doesn't work.
> Create a Content Security Policy
> --------------------------------
>
> Key: OFBIZ-10417
> URL: https://issues.apache.org/jira/browse/OFBIZ-10417
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Reporter: Jacques Le Roux
> Priority: Minor
>
> At OFBIZ-6766 I have added a Content Security Policy
> To not block anything for the moment I have committed an only report policy using the Content-Security-Policy-Report-Only header.
> The idea is that we can look at the issues using browsers tools.
> The next step is to report the errors (when there will not be too much) in the log using a report-uri
> And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever).
> If we encounter performance issues, or other disagrements, we can even we can comment out the current Content-Security-Policy-Report-Only
> Sincerely I think it will be let as is and we will let users decide on their own CSP... So the report only mode is just a reminder for them...
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)