This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new b6a796c Improved: no functional change
b6a796c is described below
commit b6a796cbdfc662459a4b52a01f0a9b67c18e7c30
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Mar 20 10:51:49 2020 +0100
Improved: no functional change
Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl
Because this page is used as a HTTP 500 error it's more susceptible to
clickjacking
Quoting OWASP ZAP:
This problem still applies to error-type pages (401, 403, 500, etc.), as these
pages are still often affected by injection problems, in which case it is still
possible that browsers may interpret pages differently from their actual content
type.
I tried to work on other file types that were also reported but it's complicated
adn I believe it's not worth it
---
themes/common-theme/template/ErrorPage.ftl | 1 +
1 file changed, 1 insertion(+)
diff --git a/themes/common-theme/template/ErrorPage.ftl b/themes/common-theme/template/ErrorPage.ftl
index 47f7caf..9be67b0 100644
--- a/themes/common-theme/template/ErrorPage.ftl
+++ b/themes/common-theme/template/ErrorPage.ftl
@@ -19,6 +19,7 @@ under the License.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
+ <meta http-equiv="Content-Security-Policy" frame-ancestors="self">
<title>500 Internal error</title>
<style>
body{
Locked
