svn commit: r1845468 - in /ofbiz/branches/release16.11: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1845468 - in /ofbiz/branches/release16.11: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

jleroux@apache.org
Author: jleroux
Date: Thu Nov  1 12:55:55 2018
New Revision: 1845468

URL: http://svn.apache.org/viewvc?rev=1845468&view=rev
Log:
"Applied fix from trunk framework for revision: 1845466"
------------------------------------------------------------------------
r1845466 | jleroux | 2018-11-01 13:55:26 +0100 (jeu. 01 nov. 2018) | 3 lignes

Improved: no functional change, just some formatting

Thanks: Taher for review
------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Nov  1 12:55:55 2018
@@ -10,5 +10,5 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,1816289,
 1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,1816289,
 1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466
 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java?rev=1845468&r1=1845467&r2=1845468&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java Thu Nov  1 12:55:55 2018
@@ -950,7 +950,7 @@ public final class UtilHttp {
         if (viewMap != null) {
             xFrameOption = viewMap.xFrameOption;
         }
-        // default to sameorigin
+        // Default to sameorigin
         if (UtilValidate.isNotEmpty(xFrameOption)) {
             if(!"none".equals(xFrameOption)) {
                 resp.addHeader("x-frame-options", xFrameOption);
@@ -959,11 +959,13 @@ public final class UtilHttp {
             resp.addHeader("x-frame-options", "sameorigin");
         }
 
+        // HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
         String strictTransportSecurity = null;
         if (viewMap != null) {
             strictTransportSecurity = viewMap.strictTransportSecurity;
-        }        
-        // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
+        }
+
+        // Default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
         if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
             if (!"none".equals(strictTransportSecurity)) {
                 resp.addHeader("strict-transport-security", strictTransportSecurity);
@@ -974,22 +976,21 @@ public final class UtilHttp {
             }
         }
         
-        //The only x-content-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
-        // This also applies to Google Chrome, when downloading extensions.
+        /** The only x-content-type-options defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.
+         This also applies to Google Chrome, when downloading extensions. */
         resp.addHeader("x-content-type-options", "nosniff");
         
-        // This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
-        // It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
-        // This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
-        // FireFox has still an open bug entry and "offers" only the noscript plugin
-        // https://wiki.mozilla.org/Security/Features/XSS_Filter 
-        // https://bugzilla.mozilla.org/show_bug.cgi?id=528661
+         /** This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+         It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
+         This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.
+         FireFox has still an open bug entry and "offers" only the noscript plugin
+         https://wiki.mozilla.org/Security/Features/XSS_Filter 
+         https://bugzilla.mozilla.org/show_bug.cgi?id=528661
+         **/
         resp.addHeader("X-XSS-Protection","1; mode=block");
         
         resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // This is the default (in Firefox at least)
         
-        //resp.setHeader("Content-Security-Policy", "default-src 'self'");
-        //resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'; report-uri webtools/control/ContentSecurityPolicyReporter");
         resp.setHeader("Content-Security-Policy-Report-Only", "default-src 'self'");
         
         // TODO in custom project. Public-Key-Pins-Report-Only is interesting but can't be used OOTB because of demos (the letsencrypt certificate is renewed every 3 months)