Hello everyone,
I recently joined the awesome Néréide team, as a front end developper,
discovering OFBiz (and basically discovering what an ERP is :)).
I noticed that OFBiz throws a lot of errors about external resources in
the browser console, because OFBiz sets a
"Content-Security-Policy-Report-Only" HTTP header, with "default-src:
'self'" on request responses, which is a very conservative (basically,
this CSP will complain for all external resources, inline scripts/CSS,
images with "data" src etc...). Since OFBiz uses a
"Content-Security-Policy-Report-Only" (and not
"Content-Security-Policy") header, resources will be loaded anyway, and
nothing breaks.
For now I can see errors related to jsTree[1] and jGrowl[2]. They both
dynamically add scripts or stylesheets elements in the DOM (not allowed
with a default-src: 'self' CSP)
First I tried to update the CSP using the HTML meta <meta
http-equiv="Content-Security-Policy" content="...">, but
"Content-Security-Policy-Report-Only" (which is set as HTTP header in
UtilHttp.java) is not supported through a meta tag (only at server
level). See [3].
The reasoning behind this choice is summed up here : [4]. If I
understand correctly, the idea is to have a conservative CSP, and work
to remove all external/inline resources.
So I am wondering if "supporting" a CSP with only "default-src 'self'"
should be a goal at this point, since OFBiz relies on libraries (jsTree,
jGrowl, maybe more ?) which clearly forbid to reach this goal. I may be
missing something more important here but It would be great to silent
those warnings by removing this header (not a big deal, but from a front
end developer perspective it may seem weird to have 20+ errors OOTB :).
This CSP will also lead to additional errors if one chooses to use
external resources in his theme (fonts, libraries from CDN...).
We could also modify the content of the
"Content-Security-Policy-Report-Only" (use a more permissive content)
header to get rid of jsTree/jGrowl errors (allowing 'safe-inline' for
script-src/ style-src I guess). I would be glad to help on this.
Jacques I saw you worked on it, do you have any suggestion ?
Thank you
Florian Motteau
[1] https://github.com/vakata/jstree
[2] https://github.com/stanlemon/jGrowl
[3]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
[4] https://cwiki.apache.org/confluence/display/OFBIZ