Author: jleroux
Date: Thu Oct 19 11:47:09 2017
New Revision: 1812623
URL: http://svn.apache.org/viewvc?rev=1812623&view=rev
Log:
Reverted: Enhance cookies security
(OFBIZ-9865)
This reverts r1812540. It does not fit with OFBiz which then ask you to login
on any action!
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812623&r1=1812622&r2=1812623&view=diff
==============================================================================
---
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
(original)
+++
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
Thu Oct 19 11:47:09 2017
@@ -981,8 +981,6 @@ public class RequestHandler {
// https://bugzilla.mozilla.org/show_bug.cgi?id=528661
resp.addHeader("X-XSS-Protection","1; mode=block");
- resp.setHeader("Set-Cookie", "SameSite=strict"); // TODO maybe one day
the ServletContext will allow to do that, then better in
WebAppServletContextListener
-
resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); //
This is the default (in Firefox at least)
// TODO in custom project. Public-Key-Pins-Report-Only is interesting
but can't be used OOTB because of demos (the letsencrypt certificate is renewed
every 3 months)
