On Tue, Jun 21, 2016 at 3:26 PM, KasunG Gajasinghe <kas...@wso2.com> wrote:
>
>
> On Tue, Jun 21, 2016 at 2:37 PM, Manuri Amaya Perera <manu...@wso2.com>
> wrote:
>
>> Hi all,
>>
>> Please find the comments inline.
>>
>> On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage <anup...@wso2.com>
>> wrote:
>>
>>> Hi,
>>>
>>> When we build the product DSS [1] with the latest Kernel Release
>>> (4.4.6), we have observed following issues in "Try it" page. Appreciate
>>> any clue on this to get them resolved.
>>>
>>> *1) *In Https mode, Try it requests gives following error on send
>>> [2][3].
>>>
>>> WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site
>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.100.7.118,
>>> method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp,
>>> error:required token is missing from the request)
>>>
>>> Private proxy protocol will be attempted as cross-domain browser
>>> restrictions might be enforced for this endpoint.
>>>
>>> <TryitClient xmlns="http://tryit.carbon.wso2.org";>
>>> <Reason>Error connecting to the Tryit ajax proxy</Reason>
>>> </TryitClient>
>>>
>>> *2)* Try it page does not load properly in Chrome. It loads correctly
>>> in Firefox. It gives the following error on chrome [4].
>>>
>>> Refused to execute script from '
>>> https://localhost:9443/services/echo?wsdl2form&resource=editarea/edit_area_full.js'
>>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fservices%2Fecho%3Fwsdl2form%26resource%3Deditarea%2Fedit_area_full.js%27&sa=D&sntz=1&usg=AFQjCNGL0XVRd6yRXPkx_0JirC6kv1p-4A>
>>> because its MIME type ('text/html') is not executable, and strict MIME type
>>> checking is enabled.
>>> Uncaught ReferenceError: editAreaLoader is not defined.
>>>
>>
>> When downgrading DSS's kernel version to 4.4.5 this issue doesn't occur.
>> When comparing the response to the request
>>
>> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js
>> in DSS with kernel 4.4.5 and kernel 4.4.6 it seems some additional
>> headers are present in the latter. They were,
>>
>> 1. X-Content-Type-Options:
>> nosniff
>> 2. X-Frame-Options:
>> DENY
>> 3. X-XSS-Protection:
>> 1; mode=block
>>
>> Here the X-Content-Type-Options header is to make sure the browser does
>> not try to detect a different Content-Type than what is actually sent[1].
>>
>
> What is the Content-Type (or rather Accept) header sent by the browser?
>
Accept header is */*
>
>
>> Here the content type of the response is
>> text/html
>> .
>> Therefore this error occurs for edit_area_full.js file. And it seems
>> firefox(at least the version we tested with) is not supporting this header
>> but chrome does[2], which should be the reason why we don't get this error
>> in firefox.
>>
>> Anyway we built with kernel 4.4.6 and checked this in BPS and it seems
>> those additional headers are not present in the response.
>>
>
> If the configurations and the tryit version are the same, then both these
> products should behave in a similar manner.
>
Try it versions are equal. And the two Owasp.CsrfGuard.Carbon.properties
files are identical.
>
>
>>
>>
>> [1] https://github.com/wso2/product-dss/
>>> [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA
>>> [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs
>>> [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ
>>>
>>> Regards,
>>> --
>>> Anupama Pathirage
>>> Associate Technical Lead
>>> WSO2, Inc. http://wso2.com/
>>> Email: anup...@wso2.com
>>> Mobile:+94 71 8273 979
>>>
>>>
>>>
>>
>> [1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
>> [2]
>> http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff
>>
>> Thanks,
>> Manuri
>>
>> --
>>
>> *Manuri Amaya Perera*
>>
>> *Software Engineer*
>>
>> *WSO2 Inc.*
>>
>> *Blog: http://manuriamayaperera.blogspot.com
>> <http://manuriamayaperera.blogspot.com>*
>>
>
>
>
> --
>
> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc.
> email: kasung AT spamfree wso2.com
> linked-in: http://lk.linkedin.com/in/gajasinghe
> blog: http://kasunbg.org
>
>
>
--
*Manuri Amaya Perera*
*Software Engineer*
*WSO2 Inc.*
*Blog: http://manuriamayaperera.blogspot.com
<http://manuriamayaperera.blogspot.com>*
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
