CSP HTTP header causes console errors

Fri, 06 May 2022 05:11:03 -0700 

Hello everyone,
I recently joined the awesome Néréide team, as a front end developper, discovering OFBiz (and basically discovering what an ERP is :)). 


I noticed that OFBiz throws a lot of errors about external resources in 
the browser console, because OFBiz sets a 
"Content-Security-Policy-Report-Only" HTTP header, with "default-src: 
'self'" on request responses, which is a very conservative (basically, 
this CSP will complain for all external resources, inline scripts/CSS, 
images with "data" src etc...). Since OFBiz uses a 
"Content-Security-Policy-Report-Only" (and not 
"Content-Security-Policy") header, resources will be loaded anyway, and 
nothing breaks.



For now I can see errors related to jsTree[1] and jGrowl[2]. They both 
dynamically add scripts or stylesheets elements in the DOM (not allowed 
with a default-src: 'self' CSP)



First I tried to update the CSP using the HTML meta <meta 
http-equiv="Content-Security-Policy" content="...">, but 
"Content-Security-Policy-Report-Only" (which is set as HTTP header in 
UtilHttp.java) is not supported through a meta tag (only at server 
level). See [3].



The reasoning behind this choice is summed up here : [4]. If I 
understand correctly, the idea is to have a conservative CSP, and work 
to remove all external/inline resources.



So I am wondering if "supporting" a CSP with only "default-src 'self'" 
should be a goal at this point, since OFBiz relies on libraries (jsTree, 
jGrowl, maybe more ?) which clearly forbid to reach this goal. I may be 
missing something more important here but It would be great to silent 
those warnings by removing this header (not a big deal, but from a front 
end developer perspective it may seem weird to have 20+ errors OOTB :). 
This CSP will also lead to additional errors if one chooses to use 
external resources in his theme (fonts, libraries from CDN...).



We could also modify the content of the 
"Content-Security-Policy-Report-Only" (use a more permissive content) 
header to get rid of jsTree/jGrowl errors (allowing 'safe-inline' for 
script-src/ style-src I guess). I would be glad to help on this.


Jacques I saw you worked on it, do you have any suggestion ?

Thank you
Florian Motteau

[1] https://github.com/vakata/jstree
[2] https://github.com/stanlemon/jGrowl

[3] 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

[4] https://cwiki.apache.org/confluence/display/OFBIZ























					Reply via email to