svn commit: r1812720 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Fri, 20 Oct 2017 01:03:08 -0700 

Author: jleroux
Date: Fri Oct 20 08:02:55 2017
New Revision: 1812720

URL: http://svn.apache.org/viewvc?rev=1812720&view=rev
Log:
Implemented: Secure HTTP headers
(OFBIZ-6766)

Adds a Content Security Policy

To not block anything for the moment I have committed a simple most restrictive
Content-Security-Policy-Report-Only header

Then we can look at the issues using browsers tools (there are so much)
The next step is to report the errors (when there will not be too much) in the 
log using a report-uri
And ultimately to use OOTB the most simple and constraining policy, with 
exceptions of course (as ever).



Modified:
    
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Modified: 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1812720&r1=1812719&r2=1812720&view=diff
==============================================================================
--- 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 (original)
+++ 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 Fri Oct 20 08:02:55 2017
@@ -983,6 +983,10 @@ public class RequestHandler {
         
         resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // 
This is the default (in Firefox at least)
         
+        //resp.setHeader("Content-Security-Policy", "default-src 'self'");
+        //resp.setHeader("Content-Security-Policy-Report-Only", "default-src 
'self'; report-uri webtools/control/ContentSecurityPolicyReporter");
+        resp.setHeader("Content-Security-Policy-Report-Only", "default-src 
'self'");
+        
         // TODO in custom project. Public-Key-Pins-Report-Only is interesting 
but can't be used OOTB because of demos (the letsencrypt certificate is renewed 
every 3 months)
         
         // Security headers 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Reply via email to