Author: jleroux
Date: Thu Nov 1 12:55:52 2018 New Revision: 1845467 URL: http://svn.apache.org/viewvc?rev=1845467&view=rev Log: "Applied fix from trunk for revision: 1845466" ------------------------------------------------------------------------ r1845466 | jleroux | 2018-11-01 13:55:26 +0100 (jeu. 01 nov. 2018) | 3 lignes Improved: no functional change, just some formatting Thanks: Taher for review ------------------------------------------------------------------------ Modified: ofbiz/ofbiz-framework/branches/release17.12/ (props changed) ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java Propchange: ofbiz/ofbiz-framework/branches/release17.12/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Thu Nov 1 12:55:52 2018 @@ -10,4 +10,4 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420 +/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466 Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java?rev=1845467&r1=1845466&r2=1845467&view=diff ============================================================================== --- ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java (original) +++ ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java Thu Nov 1 12:55:52 2018 @@ -989,7 +989,7 @@ public final class UtilHttp { if (viewMap != null) { xFrameOption = viewMap.xFrameOption; } - // default to sameorigin + // Default to sameorigin if (UtilValidate.isNotEmpty(xFrameOption)) { if(!"none".equals(xFrameOption)) { resp.addHeader("x-frame-options", xFrameOption); @@ -998,11 +998,13 @@ public final class UtilHttp { resp.addHeader("x-frame-options", "sameorigin"); } + // HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. String strictTransportSecurity = null; if (viewMap != null) { strictTransportSecurity = viewMap.strictTransportSecurity; - } - // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year + } + + // Default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year if (UtilValidate.isNotEmpty(strictTransportSecurity)) { if (!"none".equals(strictTransportSecurity)) { resp.addHeader("strict-transport-security", strictTransportSecurity); @@ -1013,22 +1015,21 @@ public final class UtilHttp { } } - //The only x-content-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. - // This also applies to Google Chrome, when downloading extensions. + /** The only x-content-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. + This also applies to Google Chrome, when downloading extensions. */ resp.addHeader("x-content-type-options", "nosniff"); - // This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. - // It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. - // This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header. - // FireFox has still an open bug entry and "offers" only the noscript plugin - // https://wiki.mozilla.org/Security/Features/XSS_Filter - // https://bugzilla.mozilla.org/show_bug.cgi?id=528661 + /** This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. + It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. + This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header. + FireFox has still an open bug entry and "offers" only the noscript plugin + https://wiki.mozilla.org/Security/Features/XSS_Filter + https://bugzilla.mozilla.org/show_bug.cgi?id=528661 + **/ resp.addHeader("X-XSS-Protection","1; mode=block"); resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // This is the default (in Firefox at least) - //resp.setHeader("Content-Security-Policy", "default-src 'self'"); - //resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'; report-uri webtools/control/ContentSecurityPolicyReporter"); resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'"); // TODO in custom project. Public-Key-Pins-Report-Only is interesting but can't be used OOTB because of demos (the letsencrypt certificate is renewed every 3 months) |
Free forum by Nabble | Edit this page |