This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release17.12 by this push:
new bb26cc1 Improved: no functional change
bb26cc1 is described below
commit bb26cc1c62512c8fa1ccd973c6fa19b9e87e904c
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Mar 20 10:51:49 2020 +0100
Improved: no functional change
Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl
Because this page is used as a HTTP 500 error it's more susceptible to
clickjacking
Quoting OWASP ZAP:
This problem still applies to error-type pages (401, 403, 500, etc.), as these
pages are still often affected by injection problems, in which case it is still
possible that browsers may interpret pages differently from their actual content
type.
I tried to work on other file types that were also reported but it's complicated
adn I believe it's not worth it
---
themes/common/template/ErrorPage.ftl | 1 +
1 file changed, 1 insertion(+)
diff --git a/themes/common/template/ErrorPage.ftl b/themes/common/template/ErrorPage.ftl
index 47f7caf..9be67b0 100644
--- a/themes/common/template/ErrorPage.ftl
+++ b/themes/common/template/ErrorPage.ftl
@@ -19,6 +19,7 @@ under the License.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
+ <meta http-equiv="Content-Security-Policy" frame-ancestors="self">
<title>500 Internal error</title>
<style>
body{
Locked
