This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release18.12 by this push:
new 162f384 Improved: no functional change
162f384 is described below
commit 162f3847cb0521d8b7ae9198aaed78cfc9cdb088
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Mar 20 10:51:49 2020 +0100
Improved: no functional change
Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl
Because this page is used as a HTTP 500 error it's more susceptible to
clickjacking
Quoting OWASP ZAP:
This problem still applies to error-type pages (401, 403, 500, etc.), as these
pages are still often affected by injection problems, in which case it is still
possible that browsers may interpret pages differently from their actual content
type.
I tried to work on other file types that were also reported but it's complicated
adn I believe it's not worth it
---
themes/common-theme/template/ErrorPage.ftl | 1 +
1 file changed, 1 insertion(+)
diff --git a/themes/common-theme/template/ErrorPage.ftl b/themes/common-theme/template/ErrorPage.ftl
index 47f7caf..9be67b0 100644
--- a/themes/common-theme/template/ErrorPage.ftl
+++ b/themes/common-theme/template/ErrorPage.ftl
@@ -19,6 +19,7 @@ under the License.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
+ <meta http-equiv="Content-Security-Policy" frame-ancestors="self">
<title>500 Internal error</title>
<style>
body{
Locked
