Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp: config/requestHandler.properti
Locked
Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp: config/requestHandler.properti
 
|
Hi Jacques,
how can I configure a view so that no x-frame-options header is set? While it is great to have these security options and also have a secure default, there are cases where you might want to switch this header settings off. Thanks and regards, Michael Am 12.12.15 um 12:37 schrieb [hidden email]: > Author: jleroux > Date: Sat Dec 12 11:37:56 2015 > New Revision: 1719660 > > URL: http://svn.apache.org/viewvc?rev=1719660&view=rev > Log: > 1st step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766 > > Here are X-Frame-Options and Strict-Transport-Security, just a start... > > Modified: > ofbiz/trunk/framework/webapp/config/requestHandler.properties > ofbiz/trunk/framework/webapp/dtd/site-conf.xsd > ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java > ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java > > Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff > ============================================================================== > --- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original) > +++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12 11:37:56 2015 > @@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc > status-code=302 > > # -- Default Content-Disposition type > -#-- attachment might be replaced by inline if you prefer to offer this option to your users. > +# attachment might be replaced by inline if you prefer to offer this option to your users. > # attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details > -content-disposition-type=attachment > \ No newline at end of file > +content-disposition-type=attachment > + > +# -- Should we use strict-transport-security? True by default. > +# Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request! > +#strict-transport-security=false > \ No newline at end of file > > Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff > ============================================================================== > --- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original) > +++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015 > @@ -774,5 +774,38 @@ under the License. > </xs:restriction> > </xs:simpleType> > </xs:attribute> > + <xs:attribute name="x-frame-option" default="sameorigin"> > + <xs:annotation> > + <xs:documentation> > + Provides clickjacking protection by instructing browsers that this page should not be placed within a frame. > + Possible values are: > + deny - no rendering within a frame, > + sameorigin - no rendering if origin mismatch, and > + allow-from: - allow rendering if framing page is within the specified URI domain. > + Allow from is supported by IE and Firefox, but not Chrome or Safari. > + It will also interfere with In Page Google Analytics since it requires your page to be framed by Google. > + </xs:documentation> > + </xs:annotation> > + <xs:simpleType> > + <xs:restriction base="xs:token"> > + <xs:enumeration value="deny"/> > + <xs:enumeration value="sameorigin"/> > + <xs:enumeration value="allow-from"/> > + </xs:restriction> > + </xs:simpleType> > + </xs:attribute> > + <xs:attribute type="xs:string" name="strict-transport-security"> > + <xs:annotation> > + <xs:documentation> > + HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. > + This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. > + HSTS also disables the ability for users to ignore SSL negotiation warnings. > + If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), > + it shows an error message and do not allow the user to access the web application. > + As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1. > + If the strict-transport-security is "none" then it will not be used. > + </xs:documentation> > + </xs:annotation> > + </xs:attribute> > </xs:attributeGroup> > </xs:schema> > > Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff > ============================================================================== > --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original) > +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sat Dec 12 11:37:56 2015 > @@ -622,6 +622,8 @@ public class ConfigXMLReader { > public String info; > public String contentType; > public String encoding; > + public String xFrameOption; > + public String strictTransportSecurity; > public String description; > public boolean noCache = false; > > @@ -633,6 +635,8 @@ public class ConfigXMLReader { > this.contentType = viewMapElement.getAttribute("content-type"); > this.noCache = "true".equals(viewMapElement.getAttribute("no-cache")); > this.encoding = viewMapElement.getAttribute("encoding"); > + this.xFrameOption = viewMapElement.getAttribute("x-frame-options"); > + this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security"); > this.description = UtilXml.childElementValue(viewMapElement, "description"); > if (UtilValidate.isEmpty(this.page)) { > this.page = this.name; > > Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff > ============================================================================== > --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original) > +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec 12 11:37:56 2015 > @@ -128,7 +128,7 @@ public class RequestHandler { > public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain, > GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests { > > - final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase( > + final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase( > "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator); > long startTime = System.currentTimeMillis(); > HttpSession session = request.getSession(); > @@ -694,7 +694,7 @@ public class RequestHandler { > viewName = nextRequestResponse.value; > } > if (UtilValidate.isEmpty(viewName) && UtilValidate.isNotEmpty(nextRequestResponse.value)) { > - viewName = nextRequestResponse.value; > + viewName = nextRequestResponse.value; > } > if (urlParams != null) { > for (Map.Entry<String, Object> urlParamEntry: urlParams.entrySet()) { > @@ -984,6 +984,26 @@ public class RequestHandler { > UtilHttp.setResponseBrowserProxyNoCache(resp); > if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module); > } > + > + String xFrameOption = viewMap.xFrameOption; > + // default to sameorigin > + if (UtilValidate.isNotEmpty(xFrameOption)) { > + resp.addHeader("x-frame-options", xFrameOption); > + } else { > + resp.addHeader("x-frame-options", "sameorigin"); > + } > + > + String strictTransportSecurity = viewMap.strictTransportSecurity; > + // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year > + if (UtilValidate.isNotEmpty(strictTransportSecurity)) { > + if (!"none".equals(strictTransportSecurity)) { > + resp.addHeader("strict-transport-security", strictTransportSecurity); > + } > + } else { > + if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass req.getAttribute("delegator") as last argument > + resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains"); > + } > + } > > try { > if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module); > @@ -1024,7 +1044,7 @@ public class RequestHandler { > */ > @Deprecated > public static String getDefaultServerRootUrl(HttpServletRequest request, boolean secure) { > - Delegator delegator = (Delegator) request.getAttribute("delegator"); > + Delegator delegator = (Delegator) request.getAttribute("delegator"); > String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https", "443", delegator); > String httpsServer = EntityUtilProperties.getPropertyValue("url", "force.https.host", delegator); > String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http", "80", delegator); > > |
smime.p7s (5K)
Re: svn commit: r1719660 - in /ofbiz/trunk/framework/webapp: config/requestHandler.properti
Administrator
|
| Free forum by Nabble | Edit this page |