Hi all,
Please find the comments inline.
On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage <anup...@wso2.com> wrote:
> Hi,
>
> When we build the product DSS [1] with the latest Kernel Release (4.4.6),
> we have observed following issues in "Try it" page. Appreciate any clue on
> this to get them resolved.
>
> *1) *In Https mode, Try it requests gives following error on send [2][3].
>
> WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request
> forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.100.7.118,
> method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp,
> error:required token is missing from the request)
>
> Private proxy protocol will be attempted as cross-domain browser
> restrictions might be enforced for this endpoint.
>
> <TryitClient xmlns="http://tryit.carbon.wso2.org";>
> <Reason>Error connecting to the Tryit ajax proxy</Reason>
> </TryitClient>
>
> *2)* Try it page does not load properly in Chrome. It loads correctly in
> Firefox. It gives the following error on chrome [4].
>
> Refused to execute script from '
> https://localhost:9443/services/echo?wsdl2form&resource=editarea/edit_area_full.js'
> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fservices%2Fecho%3Fwsdl2form%26resource%3Deditarea%2Fedit_area_full.js%27&sa=D&sntz=1&usg=AFQjCNGL0XVRd6yRXPkx_0JirC6kv1p-4A>
> because its MIME type ('text/html') is not executable, and strict MIME type
> checking is enabled.
> Uncaught ReferenceError: editAreaLoader is not defined.
>
When downgrading DSS's kernel version to 4.4.5 this issue doesn't occur.
When comparing the response to the request
http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js
in DSS with kernel 4.4.5 and kernel 4.4.6 it seems some additional headers
are present in the latter. They were,
1. X-Content-Type-Options:
nosniff
2. X-Frame-Options:
DENY
3. X-XSS-Protection:
1; mode=block
Here the X-Content-Type-Options header is to make sure the browser does
not try to detect a different Content-Type than what is actually sent[1].
Here the content type of the response is
text/html
.
Therefore this error occurs for edit_area_full.js file. And it seems
firefox(at least the version we tested with) is not supporting this header
but chrome does[2], which should be the reason why we don't get this error
in firefox.
Anyway we built with kernel 4.4.6 and checked this in BPS and it seems
those additional headers are not present in the response.
[1] https://github.com/wso2/product-dss/
> [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA
> [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs
> [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ
>
> Regards,
> --
> Anupama Pathirage
> Associate Technical Lead
> WSO2, Inc. http://wso2.com/
> Email: anup...@wso2.com
> Mobile:+94 71 8273 979
>
>
>
[1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
[2]
http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff
Thanks,
Manuri
--
*Manuri Amaya Perera*
*Software Engineer*
*WSO2 Inc.*
*Blog: http://manuriamayaperera.blogspot.com
<http://manuriamayaperera.blogspot.com>*
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
