Hi Jacques,
Thanks for the quick reply, really appreciated. I missed these tickets,
very interseting.
So I understand that you suggest to have a variable in
security.properties (or other property file) which would be injected as
HTTP CSP-Report-Only header ?
What about allowing themes/component to override this header's content
(at their own risk :)) ? So if a theme maintainer wants to include a
library/font/... from an external server, he could modify the CSP and
avoid piling up warnings. But overriding only one value in a property
file is not possible (I think).
Le 06/05/2022 à 15:56, Jacques Le Roux a écrit :
Hi Florian,
Welcome, glad to have a new front end developer with us.
I indeed started to work on that in 2018, and just did the minimum:
https://issues.apache.org/jira/browse/OFBIZ-10417
Later Alex Bodnaru (no longer working with us) created
https://issues.apache.org/jira/browse/OFBIZ-11889
So, I then opened: https://issues.apache.org/jira/browse/OFBIZ-11951
There are few other related issues: https://s.apache.org/tt3zd
IMO having a configuration through properties would be a good help to
start. Maybe we can do better then...
HTH
Jacques
Le 06/05/2022 à 14:10, Florian Motteau a écrit :
Hello everyone,
I recently joined the awesome Néréide team, as a front end
developper, discovering OFBiz (and basically discovering what an ERP
is :)).
I noticed that OFBiz throws a lot of errors about external resources
in the browser console, because OFBiz sets a
"Content-Security-Policy-Report-Only" HTTP header, with "default-src:
'self'" on request responses, which is a very conservative
(basically, this CSP will complain for all external resources, inline
scripts/CSS, images with "data" src etc...). Since OFBiz uses a
"Content-Security-Policy-Report-Only" (and not
"Content-Security-Policy") header, resources will be loaded anyway,
and nothing breaks.
For now I can see errors related to jsTree[1] and jGrowl[2]. They
both dynamically add scripts or stylesheets elements in the DOM (not
allowed with a default-src: 'self' CSP)
First I tried to update the CSP using the HTML meta <meta
http-equiv="Content-Security-Policy" content="...">, but
"Content-Security-Policy-Report-Only" (which is set as HTTP header in
UtilHttp.java) is not supported through a meta tag (only at server
level). See [3].
The reasoning behind this choice is summed up here : [4]. If I
understand correctly, the idea is to have a conservative CSP, and
work to remove all external/inline resources.
So I am wondering if "supporting" a CSP with only "default-src
'self'" should be a goal at this point, since OFBiz relies on
libraries (jsTree, jGrowl, maybe more ?) which clearly forbid to
reach this goal. I may be missing something more important here but
It would be great to silent those warnings by removing this header
(not a big deal, but from a front end developer perspective it may
seem weird to have 20+ errors OOTB :). This CSP will also lead to
additional errors if one chooses to use external resources in his
theme (fonts, libraries from CDN...).
We could also modify the content of the
"Content-Security-Policy-Report-Only" (use a more permissive content)
header to get rid of jsTree/jGrowl errors (allowing 'safe-inline' for
script-src/ style-src I guess). I would be glad to help on this.
Jacques I saw you worked on it, do you have any suggestion ?
Thank you
Florian Motteau
[1] https://github.com/vakata/jstree
[2] https://github.com/stanlemon/jGrowl
[3]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
[4] https://cwiki.apache.org/confluence/display/OFBIZ