Thanks Jacques, I'll look into it !

Le 07/05/2022 à 10:33, Jacques Le Roux a écrit :
BTW I created this Jira CSP related filter: https://issues.apache.org/jira/browse/OFBIZ-11889?filter=12351704

Le 07/05/2022 à 10:21, Jacques Le Roux a écrit :
Hi Florian,

Yes, users could use their own CSP by changing the CSP-Report-Only default from a property in security.properties

Of course this is a very simple (unique) mechanism and if we need something more dynamic we also need to set something new.

It could be special csp.properties file in components. But I think using OFBiz (not Java) SystemProperties would fit better (see common entitymodel.xml line 87 in trunk) because it allows dynamic interaction with the DB.

HTH

Jacques

Le 06/05/2022 à 16:27, Florian Motteau a écrit :
Hi Jacques,

Thanks for the quick reply, really appreciated. I missed these tickets, very interseting.

So I understand that you suggest to have a variable in security.properties (or other property file) which would be injected as HTTP CSP-Report-Only header ?

What about allowing themes/component to override this header's content (at their own risk :)) ? So if a theme maintainer wants to include a library/font/... from an external server, he could modify the CSP and avoid piling up warnings. But overriding only one value in a property file is not possible (I think).

Le 06/05/2022 à 15:56, Jacques Le Roux a écrit :
Hi Florian,

Welcome, glad to have a new front end developer with us.

I indeed started to work on that in 2018, and just did the minimum: https://issues.apache.org/jira/browse/OFBIZ-10417

Later Alex Bodnaru (no longer working with us) created https://issues.apache.org/jira/browse/OFBIZ-11889

So, I then opened: https://issues.apache.org/jira/browse/OFBIZ-11951

There are few other related issues: https://s.apache.org/tt3zd

IMO having a configuration through properties would be a good help to start. Maybe we can do better then...

HTH

Jacques

Le 06/05/2022 à 14:10, Florian Motteau a écrit :
Hello everyone,

I recently joined the awesome Néréide team, as a front end developper, discovering OFBiz (and basically discovering what an ERP is :)).

I noticed that OFBiz throws a lot of errors about external resources in the browser console, because OFBiz sets a "Content-Security-Policy-Report-Only" HTTP header, with "default-src: 'self'" on request responses, which is a very conservative (basically, this CSP will complain for all external resources, inline scripts/CSS, images with "data" src etc...). Since OFBiz uses a "Content-Security-Policy-Report-Only" (and not "Content-Security-Policy") header, resources will be loaded anyway, and nothing breaks.

For now I can see errors related to jsTree[1] and jGrowl[2]. They both dynamically add scripts or stylesheets elements in the DOM (not allowed with a default-src: 'self' CSP)

First I tried to update the CSP using the HTML meta <meta http-equiv="Content-Security-Policy" content="...">, but "Content-Security-Policy-Report-Only" (which is set as HTTP header in UtilHttp.java) is not supported through a meta tag (only at server level). See [3].

The reasoning behind this choice is summed up here : [4]. If I understand correctly, the idea is to have a conservative CSP, and work to remove all external/inline resources.

So I am wondering if "supporting" a CSP with only "default-src 'self'" should be a goal at this point, since OFBiz relies on libraries (jsTree, jGrowl, maybe more ?) which clearly forbid to reach this goal. I may be missing something more important here but It would be great to silent those warnings by removing this header (not a big deal, but from a front end developer perspective it may seem weird to have 20+ errors OOTB :). This CSP will also lead to additional errors if one chooses to use external resources in his theme (fonts, libraries from CDN...).

We could also modify the content of the "Content-Security-Policy-Report-Only" (use a more permissive content) header to get rid of jsTree/jGrowl errors (allowing 'safe-inline' for script-src/ style-src I guess). I would be glad to help on this.

Jacques I saw you worked on it, do you have any suggestion ?

Thank you
Florian Motteau

[1] https://github.com/vakata/jstree
[2] https://github.com/stanlemon/jGrowl
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
[4] https://cwiki.apache.org/confluence/display/OFBIZ

Reply via email to