BTW I created this Jira CSP related filter:
https://issues.apache.org/jira/browse/OFBIZ-11889?filter=12351704
Le 07/05/2022 à 10:21, Jacques Le Roux a écrit :
Hi Florian,
Yes, users could use their own CSP by changing the CSP-Report-Only default from
a property in security.properties
Of course this is a very simple (unique) mechanism and if we need something
more dynamic we also need to set something new.
It could be special csp.properties file in components. But I think using OFBiz (not Java) SystemProperties would fit better (see common
entitymodel.xml line 87 in trunk) because it allows dynamic interaction with the DB.
HTH
Jacques
Le 06/05/2022 à 16:27, Florian Motteau a écrit :
Hi Jacques,
Thanks for the quick reply, really appreciated. I missed these tickets, very
interseting.
So I understand that you suggest to have a variable in security.properties (or other property file) which would be injected as HTTP CSP-Report-Only
header ?
What about allowing themes/component to override this header's content (at their own risk :)) ? So if a theme maintainer wants to include a
library/font/... from an external server, he could modify the CSP and avoid piling up warnings. But overriding only one value in a property file is
not possible (I think).
Le 06/05/2022 à 15:56, Jacques Le Roux a écrit :
Hi Florian,
Welcome, glad to have a new front end developer with us.
I indeed started to work on that in 2018, and just did the minimum:
https://issues.apache.org/jira/browse/OFBIZ-10417
Later Alex Bodnaru (no longer working with us) created
https://issues.apache.org/jira/browse/OFBIZ-11889
So, I then opened: https://issues.apache.org/jira/browse/OFBIZ-11951
There are few other related issues: https://s.apache.org/tt3zd
IMO having a configuration through properties would be a good help to start.
Maybe we can do better then...
HTH
Jacques
Le 06/05/2022 à 14:10, Florian Motteau a écrit :
Hello everyone,
I recently joined the awesome Néréide team, as a front end developper,
discovering OFBiz (and basically discovering what an ERP is :)).
I noticed that OFBiz throws a lot of errors about external resources in the browser console, because OFBiz sets a
"Content-Security-Policy-Report-Only" HTTP header, with "default-src: 'self'" on request responses, which is a very conservative (basically, this
CSP will complain for all external resources, inline scripts/CSS, images with "data" src etc...). Since OFBiz uses a
"Content-Security-Policy-Report-Only" (and not "Content-Security-Policy") header, resources will be loaded anyway, and nothing breaks.
For now I can see errors related to jsTree[1] and jGrowl[2]. They both dynamically add scripts or stylesheets elements in the DOM (not allowed
with a default-src: 'self' CSP)
First I tried to update the CSP using the HTML meta <meta http-equiv="Content-Security-Policy" content="...">, but
"Content-Security-Policy-Report-Only" (which is set as HTTP header in UtilHttp.java) is not supported through a meta tag (only at server level).
See [3].
The reasoning behind this choice is summed up here : [4]. If I understand correctly, the idea is to have a conservative CSP, and work to remove
all external/inline resources.
So I am wondering if "supporting" a CSP with only "default-src 'self'" should be a goal at this point, since OFBiz relies on libraries (jsTree,
jGrowl, maybe more ?) which clearly forbid to reach this goal. I may be missing something more important here but It would be great to silent
those warnings by removing this header (not a big deal, but from a front end developer perspective it may seem weird to have 20+ errors OOTB :).
This CSP will also lead to additional errors if one chooses to use external resources in his theme (fonts, libraries from CDN...).
We could also modify the content of the "Content-Security-Policy-Report-Only" (use a more permissive content) header to get rid of jsTree/jGrowl
errors (allowing 'safe-inline' for script-src/ style-src I guess). I would be glad to help on this.
Jacques I saw you worked on it, do you have any suggestion ?
Thank you
Florian Motteau
[1] https://github.com/vakata/jstree
[2] https://github.com/stanlemon/jGrowl
[3]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
[4] https://cwiki.apache.org/confluence/display/OFBIZ
