Thanks Jacques, I'll look into it !
Le 07/05/2022 à 10:33, Jacques Le Roux a écrit :
BTW I created this Jira CSP related filter:
https://issues.apache.org/jira/browse/OFBIZ-11889?filter=12351704
Le 07/05/2022 à 10:21, Jacques Le Roux a écrit :
Hi Florian,
Yes, users could use their own CSP by changing the CSP-Report-Only
default from a property in security.properties
Of course this is a very simple (unique) mechanism and if we need
something more dynamic we also need to set something new.
It could be special csp.properties file in components. But I think
using OFBiz (not Java) SystemProperties would fit better (see common
entitymodel.xml line 87 in trunk) because it allows dynamic
interaction with the DB.
HTH
Jacques
Le 06/05/2022 à 16:27, Florian Motteau a écrit :
Hi Jacques,
Thanks for the quick reply, really appreciated. I missed these
tickets, very interseting.
So I understand that you suggest to have a variable in
security.properties (or other property file) which would be injected
as HTTP CSP-Report-Only header ?
What about allowing themes/component to override this header's
content (at their own risk :)) ? So if a theme maintainer wants to
include a library/font/... from an external server, he could modify
the CSP and avoid piling up warnings. But overriding only one value
in a property file is not possible (I think).
Le 06/05/2022 à 15:56, Jacques Le Roux a écrit :
Hi Florian,
Welcome, glad to have a new front end developer with us.
I indeed started to work on that in 2018, and just did the minimum:
https://issues.apache.org/jira/browse/OFBIZ-10417
Later Alex Bodnaru (no longer working with us) created
https://issues.apache.org/jira/browse/OFBIZ-11889
So, I then opened: https://issues.apache.org/jira/browse/OFBIZ-11951
There are few other related issues: https://s.apache.org/tt3zd
IMO having a configuration through properties would be a good help
to start. Maybe we can do better then...
HTH
Jacques
Le 06/05/2022 à 14:10, Florian Motteau a écrit :
Hello everyone,
I recently joined the awesome Néréide team, as a front end
developper, discovering OFBiz (and basically discovering what an
ERP is :)).
I noticed that OFBiz throws a lot of errors about external
resources in the browser console, because OFBiz sets a
"Content-Security-Policy-Report-Only" HTTP header, with
"default-src: 'self'" on request responses, which is a very
conservative (basically, this CSP will complain for all external
resources, inline scripts/CSS, images with "data" src etc...).
Since OFBiz uses a "Content-Security-Policy-Report-Only" (and not
"Content-Security-Policy") header, resources will be loaded
anyway, and nothing breaks.
For now I can see errors related to jsTree[1] and jGrowl[2]. They
both dynamically add scripts or stylesheets elements in the DOM
(not allowed with a default-src: 'self' CSP)
First I tried to update the CSP using the HTML meta <meta
http-equiv="Content-Security-Policy" content="...">, but
"Content-Security-Policy-Report-Only" (which is set as HTTP header
in UtilHttp.java) is not supported through a meta tag (only at
server level). See [3].
The reasoning behind this choice is summed up here : [4]. If I
understand correctly, the idea is to have a conservative CSP, and
work to remove all external/inline resources.
So I am wondering if "supporting" a CSP with only "default-src
'self'" should be a goal at this point, since OFBiz relies on
libraries (jsTree, jGrowl, maybe more ?) which clearly forbid to
reach this goal. I may be missing something more important here
but It would be great to silent those warnings by removing this
header (not a big deal, but from a front end developer perspective
it may seem weird to have 20+ errors OOTB :). This CSP will also
lead to additional errors if one chooses to use external resources
in his theme (fonts, libraries from CDN...).
We could also modify the content of the
"Content-Security-Policy-Report-Only" (use a more permissive
content) header to get rid of jsTree/jGrowl errors (allowing
'safe-inline' for script-src/ style-src I guess). I would be glad
to help on this.
Jacques I saw you worked on it, do you have any suggestion ?
Thank you
Florian Motteau
[1] https://github.com/vakata/jstree
[2] https://github.com/stanlemon/jGrowl
[3]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
[4] https://cwiki.apache.org/confluence/display/OFBIZ