Hi, I have added content type in tryit.xslt and sent a PR[1]. This resolved issue 2.
[1] https://wso2.org/jira/browse/CCOMMONS-16 On Tue, Jun 21, 2016 at 4:01 PM, Manuri Amaya Perera <manu...@wso2.com> wrote: > Hi Ayoma, > > I think setting the content-type can be done in [1]. > > But this issue should occur for other products as well right? > > [1] > https://github.com/wso2/carbon-commons/blob/master/components/wsdl2form/org.wso2.carbon.wsdl2form/src/main/java/org/wso2/carbon/wsdl2form/WSDL2FormRequestProcessor.java > > Thanks, > Manuri > > On Tue, Jun 21, 2016 at 3:55 PM, Ayoma Wijethunga <ay...@wso2.com> wrote: > >> Hi Team, >> >> As Manuri mentioned, "issue 2" occurs because we are serving a JavaScript >> as the response for service call [1] with the content-type "text/html". >> This should be corrected to "application/javascript". >> >> Is there any possibility for us to send the "content-type" header in the >> response, based on the extension of the resource being loaded? This is the >> correct way forward. >> >> Issue is relevant to "X-Content-Type-Options:nosniff" header Tomcat >> filter is setting to prevent "MIME Sniffing" attacks. Also this is separate >> form CSRFGuard. >> >> [1] >> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js >> [2] http://www.slideshare.net/RonanDunne1/mime-sniffing-17014318 >> >> Regards, >> Ayoma. >> >> On Tue, Jun 21, 2016 at 3:41 PM, Manuri Amaya Perera <manu...@wso2.com> >> wrote: >> >>> >>> >>> On Tue, Jun 21, 2016 at 3:26 PM, KasunG Gajasinghe <kas...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Tue, Jun 21, 2016 at 2:37 PM, Manuri Amaya Perera <manu...@wso2.com> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> Please find the comments inline. >>>>> >>>>> On Tue, Jun 21, 2016 at 9:48 AM, Anupama Pathirage <anup...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> When we build the product DSS [1] with the latest Kernel Release >>>>>> (4.4.6), we have observed following issues in "Try it" page. Appreciate >>>>>> any clue on this to get them resolved. >>>>>> >>>>>> *1) *In Https mode, Try it requests gives following error on send >>>>>> [2][3]. >>>>>> >>>>>> WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site >>>>>> request forgery (CSRF) attack thwarted (user:<anonymous>, >>>>>> ip:10.100.7.118, >>>>>> method:POST, uri:/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp, >>>>>> error:required token is missing from the request) >>>>>> >>>>>> Private proxy protocol will be attempted as cross-domain browser >>>>>> restrictions might be enforced for this endpoint. >>>>>> >>>>>> <TryitClient xmlns="http://tryit.carbon.wso2.org"> >>>>>> <Reason>Error connecting to the Tryit ajax proxy</Reason> >>>>>> </TryitClient> >>>>>> >>>>>> *2)* Try it page does not load properly in Chrome. It loads >>>>>> correctly in Firefox. It gives the following error on chrome [4]. >>>>>> >>>>>> Refused to execute script from ' >>>>>> https://localhost:9443/services/echo?wsdl2form&resource=editarea/edit_area_full.js' >>>>>> <https://www.google.com/url?q=https%3A%2F%2Flocalhost%3A9443%2Fservices%2Fecho%3Fwsdl2form%26resource%3Deditarea%2Fedit_area_full.js%27&sa=D&sntz=1&usg=AFQjCNGL0XVRd6yRXPkx_0JirC6kv1p-4A> >>>>>> because its MIME type ('text/html') is not executable, and strict MIME >>>>>> type >>>>>> checking is enabled. >>>>>> Uncaught ReferenceError: editAreaLoader is not defined. >>>>>> >>>>> >>>>> When downgrading DSS's kernel version to 4.4.5 this issue doesn't >>>>> occur. When comparing the response to the request >>>>> >>>>> http://10.100.7.67:9783/services/echo?wsdl2form&resource=editarea/edit_area_full.js >>>>> in DSS with kernel 4.4.5 and kernel 4.4.6 it seems some additional >>>>> headers are present in the latter. They were, >>>>> >>>>> 1. X-Content-Type-Options: >>>>> nosniff >>>>> 2. X-Frame-Options: >>>>> DENY >>>>> 3. X-XSS-Protection: >>>>> 1; mode=block >>>>> >>>>> Here the X-Content-Type-Options header is to make sure the browser >>>>> does not try to detect a different Content-Type than what is actually >>>>> sent[1]. >>>>> >>>> >>>> What is the Content-Type (or rather Accept) header sent by the browser? >>>> >>> Accept header is */* >>> >>> >>>> >>>> >>>>> Here the content type of the response is >>>>> text/html >>>>> . >>>>> Therefore this error occurs for edit_area_full.js file. And it seems >>>>> firefox(at least the version we tested with) is not supporting this >>>>> header >>>>> but chrome does[2], which should be the reason why we don't get this error >>>>> in firefox. >>>>> >>>>> Anyway we built with kernel 4.4.6 and checked this in BPS and it seems >>>>> those additional headers are not present in the response. >>>>> >>>> >>>> If the configurations and the tryit version are the same, then both >>>> these products should behave in a similar manner. >>>> >>> Try it versions are equal. And the >>> two Owasp.CsrfGuard.Carbon.properties files are identical. >>> >>> >>>> >>>> >>>>> >>>>> >>>>> [1] https://github.com/wso2/product-dss/ >>>>>> [2] https://drive.google.com/open?id=0B16LG8jdYeP8ZEpyV1F5cmRsTDA >>>>>> [3] https://drive.google.com/open?id=0B16LG8jdYeP8LWF2elVTbzFQOWs >>>>>> [4] https://drive.google.com/open?id=0B16LG8jdYeP8VmtlWXEtdmRJUjQ >>>>>> >>>>>> Regards, >>>>>> -- >>>>>> Anupama Pathirage >>>>>> Associate Technical Lead >>>>>> WSO2, Inc. http://wso2.com/ >>>>>> Email: anup...@wso2.com >>>>>> Mobile:+94 71 8273 979 >>>>>> >>>>>> >>>>>> >>>>> >>>>> [1] https://www.owasp.org/index.php/REST_Security_Cheat_Sheet >>>>> [2] >>>>> http://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff >>>>> >>>>> Thanks, >>>>> Manuri >>>>> >>>>> -- >>>>> >>>>> *Manuri Amaya Perera* >>>>> >>>>> *Software Engineer* >>>>> >>>>> *WSO2 Inc.* >>>>> >>>>> *Blog: http://manuriamayaperera.blogspot.com >>>>> <http://manuriamayaperera.blogspot.com>* >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Kasun Gajasinghe*Associate Technical Lead, WSO2 Inc. >>>> email: kasung AT spamfree wso2.com >>>> linked-in: http://lk.linkedin.com/in/gajasinghe >>>> blog: http://kasunbg.org >>>> >>>> >>>> >>> >>> >>> >>> -- >>> >>> *Manuri Amaya Perera* >>> >>> *Software Engineer* >>> >>> *WSO2 Inc.* >>> >>> *Blog: http://manuriamayaperera.blogspot.com >>> <http://manuriamayaperera.blogspot.com>* >>> >> >> >> >> -- >> Ayoma Wijethunga >> Software Engineer >> Platform Security Team >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >> Blog : http://www.ayomaonline.com >> LinkedIn: https://www.linkedin.com/in/ayoma >> > > > > -- > > *Manuri Amaya Perera* > > *Software Engineer* > > *WSO2 Inc.* > > *Blog: http://manuriamayaperera.blogspot.com > <http://manuriamayaperera.blogspot.com>* > -- *Manuri Amaya Perera* *Software Engineer* *WSO2 Inc.* *Blog: http://manuriamayaperera.blogspot.com <http://manuriamayaperera.blogspot.com>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev