I have finally decided to backport this (low) security issue.
It's easy to do so, better to be safe than sorry.
Jacques
Le 20/03/2020 à 10:51, jler...@apache.org a écrit :
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new b6a796c Improved: no functional change
b6a796c is described below
commit b6a796cbdfc662459a4b52a01f0a9b67c18e7c30
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Mar 20 10:51:49 2020 +0100
Improved: no functional change
Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl
Because this page is used as a HTTP 500 error it's more susceptible to
clickjacking
Quoting OWASP ZAP:
This problem still applies to error-type pages (401, 403, 500, etc.), as
these
pages are still often affected by injection problems, in which case it is
still
possible that browsers may interpret pages differently from their actual
content
type.
I tried to work on other file types that were also reported but it's complicated
adn I believe it's not worth it
---
themes/common-theme/template/ErrorPage.ftl | 1 +
1 file changed, 1 insertion(+)
diff --git a/themes/common-theme/template/ErrorPage.ftl
b/themes/common-theme/template/ErrorPage.ftl
index 47f7caf..9be67b0 100644
--- a/themes/common-theme/template/ErrorPage.ftl
+++ b/themes/common-theme/template/ErrorPage.ftl
@@ -19,6 +19,7 @@ under the License.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
+ <meta http-equiv="Content-Security-Policy" frame-ancestors="self">
<title>500 Internal error</title>
<style>
body{
