You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/10/19 11:47:09 UTC
svn commit: r1812623 -
/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
Author: jleroux
Date: Thu Oct 19 11:47:09 2017
New Revision: 1812623
URL: http://svn.apache.org/viewvc?rev=1812623&view=rev
Log:
Reverted: Enhance cookies security
(OFBIZ-9865)
This reverts r1812540. It does not fit with OFBiz which then ask you to login
on any action!
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812623&r1=1812622&r2=1812623&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Thu Oct 19 11:47:09 2017
@@ -981,8 +981,6 @@ public class RequestHandler {
// https://bugzilla.mozilla.org/show_bug.cgi?id=528661
resp.addHeader("X-XSS-Protection","1; mode=block");
- resp.setHeader("Set-Cookie", "SameSite=strict"); // TODO maybe one day the ServletContext will allow to do that, then better in WebAppServletContextListener
-
resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // This is the default (in Firefox at least)
// TODO in custom project. Public-Key-Pins-Report-Only is interesting but can't be used OOTB because of demos (the letsencrypt certificate is renewed every 3 months)