On Tue, Jun 21, 2016 at 2:37 PM, Manuri Amaya Perera <manu...@wso2.com>
wrote:
> Hi all,
>
> Please find the comments inline.
>
> On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage <anup...@wso2.com>
> wrote:
>
>> Hi,
>>
>> When we build the product DSS [1] with the latest Kernel Release (4.4.6),
>> we have observed following issues in "Try it" page. Appreciate any clue on
>> this to get them resolved.
>>
>> *1) *In Https mode, Try it requests gives following error on send [2][3].
>>
>> WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request
>> forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.100.7.118,
>> method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp,
>> error:required token is missing from the request)
>>
>> Private proxy protocol will be attempted as cross-domain browser
>> restrictions might be enforced for this endpoint.
>>
>> <TryitClient xmlns="http://tryit.carbon.wso2.org";>
>> <Reason>Error connecting to the Tryit ajax proxy</Reason>
>> </TryitClient>
>>
>> *2)* Try it page does not load properly in Chrome. It loads correctly in
>> Firefox. It gives the following error on chrome [4].
>>
>> Refused to execute script from '
>> https://localhost:9443/services/echo?wsdl2form&resource=editarea/edit_area_full.js'
>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fservices%2Fecho%3Fwsdl2form%26resource%3Deditarea%2Fedit_area_full.js%27&sa=D&sntz=1&usg=AFQjCNGL0XVRd6yRXPkx_0JirC6kv1p-4A>
>> because its MIME type ('text/html') is not executable, and strict MIME type
>> checking is enabled.
>> Uncaught ReferenceError: editAreaLoader is not defined.
>>
>
> When downgrading DSS's kernel version to 4.4.5 this issue doesn't occur.
> When comparing the response to the request
>
> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js
> in DSS with kernel 4.4.5 and kernel 4.4.6 it seems some additional
> headers are present in the latter. They were,
>
> 1. X-Content-Type-Options:
> nosniff
> 2. X-Frame-Options:
> DENY
> 3. X-XSS-Protection:
> 1; mode=block
>
> Here the X-Content-Type-Options header is to make sure the browser does
> not try to detect a different Content-Type than what is actually sent[1].
>
What is the Content-Type (or rather Accept) header sent by the browser?
> Here the content type of the response is
> text/html
> .
> Therefore this error occurs for edit_area_full.js file. And it seems
> firefox(at least the version we tested with) is not supporting this header
> but chrome does[2], which should be the reason why we don't get this error
> in firefox.
>
> Anyway we built with kernel 4.4.6 and checked this in BPS and it seems
> those additional headers are not present in the response.
>
If the configurations and the tryit version are the same, then both these
products should behave in a similar manner.
>
>
> [1] https://github.com/wso2/product-dss/
>> [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA
>> [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs
>> [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ
>>
>> Regards,
>> --
>> Anupama Pathirage
>> Associate Technical Lead
>> WSO2, Inc. http://wso2.com/
>> Email: anup...@wso2.com
>> Mobile:+94 71 8273 979
>>
>>
>>
>
> [1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
> [2]
> http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff
>
> Thanks,
> Manuri
>
> --
>
> *Manuri Amaya Perera*
>
> *Software Engineer*
>
> *WSO2 Inc.*
>
> *Blog: http://manuriamayaperera.blogspot.com
> <http://manuriamayaperera.blogspot.com>*
>
--
*Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
email: kasung AT spamfree wso2.com
linked-in: http://lk.linkedin.com/in/gajasinghe
blog: http://kasunbg.org
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
