You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/10/20 08:02:55 UTC

svn commit: r1812720 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Author: jleroux
Date: Fri Oct 20 08:02:55 2017
New Revision: 1812720

URL: http://svn.apache.org/viewvc?rev=1812720&view=rev
Log:
Implemented: Secure HTTP headers
(OFBIZ-6766)

Adds a Content Security Policy

To not block anything for the moment I have committed a simple most restrictive
Content-Security-Policy-Report-Only header

Then we can look at the issues using browsers tools (there are so much)
The next step is to report the errors (when there will not be too much) in the 
log using a report-uri
And ultimately to use OOTB the most simple and constraining policy, with 
exceptions of course (as ever).



Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812720&r1=1812719&r2=1812720&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Fri Oct 20 08:02:55 2017
@@ -983,6 +983,10 @@ public class RequestHandler {
         
         resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // This is the default (in Firefox at least)
         
+        //resp.setHeader("Content-Security-Policy", "default-src 'self'");
+        //resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'; report-uri webtools/control/ContentSecurityPolicyReporter");
+        resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'");
+        
         // TODO in custom project. Public-Key-Pins-Report-Only is interesting but can't be used OOTB because of demos (the letsencrypt certificate is renewed every 3 months)
         
         // Security headers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^