OFBiz › OFBiz - Commits

svn commit: r1812720 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1812720 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Author: jleroux
Date: Fri Oct 20 08:02:55 2017
New Revision: 1812720

URL: http://svn.apache.org/viewvc?rev=1812720&view=rev
Log:
Implemented: Secure HTTP headers
(OFBIZ-6766)

Adds a Content Security Policy

To not block anything for the moment I have committed a simple most restrictive
Content-Security-Policy-Report-Only header

Then we can look at the issues using browsers tools (there are so much)
The next step is to report the errors (when there will not be too much) in the
log using a report-uri
And ultimately to use OOTB the most simple and constraining policy, with
exceptions of course (as ever).

Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812720&r1=1812719&r2=1812720&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Fri Oct 20 08:02:55 2017
@@ -983,6 +983,10 @@ public class RequestHandler {

resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // This is the default (in Firefox at least)

+ //resp.setHeader("Content-Security-Policy", "default-src 'self'");
+ //resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'; report-uri webtools/control/ContentSecurityPolicyReporter");
+ resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'");
+
// TODO in custom project. Public-Key-Pins-Report-Only is interesting but can't be used OOTB because of demos (the letsencrypt certificate is renewed every 3 months)

// Security headers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^