On Tue, Jun 21, 2016 at 3:26 PM, KasunG Gajasinghe <kas...@wso2.com> wrote:
> > > On Tue, Jun 21, 2016 at 2:37 PM, Manuri Amaya Perera <manu...@wso2.com> > wrote: > >> Hi all, >> >> Please find the comments inline. >> >> On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage <anup...@wso2.com> >> wrote: >> >>> Hi, >>> >>> When we build the product DSS [1] with the latest Kernel Release >>> (4.4.6), we have observed following issues in "Try it" page. Appreciate >>> any clue on this to get them resolved. >>> >>> *1) *In Https mode, Try it requests gives following error on send >>> [2][3]. >>> >>> WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.100.7.118, >>> method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, >>> error:required token is missing from the request) >>> >>> Private proxy protocol will be attempted as cross-domain browser >>> restrictions might be enforced for this endpoint. >>> >>> <TryitClient xmlns="http://tryit.carbon.wso2.org"> >>> <Reason>Error connecting to the Tryit ajax proxy</Reason> >>> </TryitClient> >>> >>> *2)* Try it page does not load properly in Chrome. It loads correctly >>> in Firefox. It gives the following error on chrome [4]. >>> >>> Refused to execute script from ' >>> https://localhost:9443/services/echo?wsdl2form&resource=editarea/edit_area_full.js' >>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fservices%2Fecho%3Fwsdl2form%26resource%3Deditarea%2Fedit_area_full.js%27&sa=D&sntz=1&usg=AFQjCNGL0XVRd6yRXPkx_0JirC6kv1p-4A> >>> because its MIME type ('text/html') is not executable, and strict MIME type >>> checking is enabled. >>> Uncaught ReferenceError: editAreaLoader is not defined. >>> >> >> When downgrading DSS's kernel version to 4.4.5 this issue doesn't occur. >> When comparing the response to the request >> >> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js >> in DSS with kernel 4.4.5 and kernel 4.4.6 it seems some additional >> headers are present in the latter. They were, >> >> 1. X-Content-Type-Options: >> nosniff >> 2. X-Frame-Options: >> DENY >> 3. X-XSS-Protection: >> 1; mode=block >> >> Here the X-Content-Type-Options header is to make sure the browser does >> not try to detect a different Content-Type than what is actually sent[1]. >> > > What is the Content-Type (or rather Accept) header sent by the browser? > Accept header is */* > > >> Here the content type of the response is >> text/html >> . >> Therefore this error occurs for edit_area_full.js file. And it seems >> firefox(at least the version we tested with) is not supporting this header >> but chrome does[2], which should be the reason why we don't get this error >> in firefox. >> >> Anyway we built with kernel 4.4.6 and checked this in BPS and it seems >> those additional headers are not present in the response. >> > > If the configurations and the tryit version are the same, then both these > products should behave in a similar manner. > Try it versions are equal. And the two Owasp.CsrfGuard.Carbon.properties files are identical. > > >> >> >> [1] https://github.com/wso2/product-dss/ >>> [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA >>> [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs >>> [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ >>> >>> Regards, >>> -- >>> Anupama Pathirage >>> Associate Technical Lead >>> WSO2, Inc. http://wso2.com/ >>> Email: anup...@wso2.com >>> Mobile:+94 71 8273 979 >>> >>> >>> >> >> [1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet >> [2] >> http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff >> >> Thanks, >> Manuri >> >> -- >> >> *Manuri Amaya Perera* >> >> *Software Engineer* >> >> *WSO2 Inc.* >> >> *Blog: http://manuriamayaperera.blogspot.com >> <http://manuriamayaperera.blogspot.com>* >> > > > > -- > > *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. > email: kasung AT spamfree wso2.com > linked-in: http://lk.linkedin.com/in/gajasinghe > blog: http://kasunbg.org > > > -- *Manuri Amaya Perera* *Software Engineer* *WSO2 Inc.* *Blog: http://manuriamayaperera.blogspot.com <http://manuriamayaperera.blogspot.com>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev