Hi all, Please find the comments inline.
On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage <anup...@wso2.com> wrote: > Hi, > > When we build the product DSS [1] with the latest Kernel Release (4.4.6), > we have observed following issues in "Try it" page. Appreciate any clue on > this to get them resolved. > > *1) *In Https mode, Try it requests gives following error on send [2][3]. > > WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request > forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.100.7.118, > method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, > error:required token is missing from the request) > > Private proxy protocol will be attempted as cross-domain browser > restrictions might be enforced for this endpoint. > > <TryitClient xmlns="http://tryit.carbon.wso2.org"> > <Reason>Error connecting to the Tryit ajax proxy</Reason> > </TryitClient> > > *2)* Try it page does not load properly in Chrome. It loads correctly in > Firefox. It gives the following error on chrome [4]. > > Refused to execute script from ' > https://localhost:9443/services/echo?wsdl2form&resource=editarea/edit_area_full.js' > <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fservices%2Fecho%3Fwsdl2form%26resource%3Deditarea%2Fedit_area_full.js%27&sa=D&sntz=1&usg=AFQjCNGL0XVRd6yRXPkx_0JirC6kv1p-4A> > because its MIME type ('text/html') is not executable, and strict MIME type > checking is enabled. > Uncaught ReferenceError: editAreaLoader is not defined. > When downgrading DSS's kernel version to 4.4.5 this issue doesn't occur. When comparing the response to the request http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js in DSS with kernel 4.4.5 and kernel 4.4.6 it seems some additional headers are present in the latter. They were, 1. X-Content-Type-Options: nosniff 2. X-Frame-Options: DENY 3. X-XSS-Protection: 1; mode=block Here the X-Content-Type-Options header is to make sure the browser does not try to detect a different Content-Type than what is actually sent[1]. Here the content type of the response is text/html . Therefore this error occurs for edit_area_full.js file. And it seems firefox(at least the version we tested with) is not supporting this header but chrome does[2], which should be the reason why we don't get this error in firefox. Anyway we built with kernel 4.4.6 and checked this in BPS and it seems those additional headers are not present in the response. [1] https://github.com/wso2/product-dss/ > [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA > [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs > [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ > > Regards, > -- > Anupama Pathirage > Associate Technical Lead > WSO2, Inc. http://wso2.com/ > Email: anup...@wso2.com > Mobile:+94 71 8273 979 > > > [1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet [2] http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff Thanks, Manuri -- *Manuri Amaya Perera* *Software Engineer* *WSO2 Inc.* *Blog: http://manuriamayaperera.blogspot.com <http://manuriamayaperera.blogspot.com>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev