Hi Jacques, how can I configure a view so that no x-frame-options header is set?
While it is great to have these security options and also have a secure default, there are cases where you might want to switch this header settings off.
Thanks and regards, Michael Am 12.12.15 um 12:37 schrieb jler...@apache.org:
Author: jleroux Date: Sat Dec 12 11:37:56 2015 New Revision: 1719660 URL: http://svn.apache.org/viewvc?rev=1719660&view=rev Log: 1st step for "Secure HTTP headers" https://issues.apache.org/jira/browse/OFBIZ-6766 Here are X-Frame-Options and Strict-Transport-Security, just a start... Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties ofbiz/trunk/framework/webapp/dtd/site-conf.xsd ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1719660&r1=1719659&r2=1719660&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original) +++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Sat Dec 12 11:37:56 2015 @@ -5,6 +5,10 @@ throwRequestHandlerExceptionOnMissingLoc status-code=302# -- Default Content-Disposition type-#-- attachment might be replaced by inline if you prefer to offer this option to your users. +# attachment might be replaced by inline if you prefer to offer this option to your users. # attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details -content-disposition-type=attachment \ No newline at end of file +content-disposition-type=attachment + +# -- Should we use strict-transport-security? True by default. +# Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request! +#strict-transport-security=false \ No newline at end of file Modified: ofbiz/trunk/framework/webapp/dtd/site-conf.xsd URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/dtd/site-conf.xsd?rev=1719660&r1=1719659&r2=1719660&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/dtd/site-conf.xsd (original) +++ ofbiz/trunk/framework/webapp/dtd/site-conf.xsd Sat Dec 12 11:37:56 2015 @@ -774,5 +774,38 @@ under the License. </xs:restriction> </xs:simpleType> </xs:attribute> + <xs:attribute name="x-frame-option" default="sameorigin"> + <xs:annotation> + <xs:documentation> + Provides clickjacking protection by instructing browsers that this page should not be placed within a frame. + Possible values are: + deny - no rendering within a frame, + sameorigin - no rendering if origin mismatch, and + allow-from: - allow rendering if framing page is within the specified URI domain. + Allow from is supported by IE and Firefox, but not Chrome or Safari. + It will also interfere with In Page Google Analytics since it requires your page to be framed by Google. + </xs:documentation> + </xs:annotation> + <xs:simpleType> + <xs:restriction base="xs:token"> + <xs:enumeration value="deny"/> + <xs:enumeration value="sameorigin"/> + <xs:enumeration value="allow-from"/> + </xs:restriction> + </xs:simpleType> + </xs:attribute> + <xs:attribute type="xs:string" name="strict-transport-security"> + <xs:annotation> + <xs:documentation> + HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. + This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. + HSTS also disables the ability for users to ignore SSL negotiation warnings. + If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), + it shows an error message and do not allow the user to access the web application. + As recommended by OWASP, by default "max-age=31536000; includeSubDomains" is used except if the server is localhost or 127.0.0.1. + If the strict-transport-security is "none" then it will not be used. + </xs:documentation> + </xs:annotation> + </xs:attribute> </xs:attributeGroup> </xs:schema> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java?rev=1719660&r1=1719659&r2=1719660&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java (original) +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ConfigXMLReader.java Sat Dec 12 11:37:56 2015 @@ -622,6 +622,8 @@ public class ConfigXMLReader { public String info; public String contentType; public String encoding; + public String xFrameOption; + public String strictTransportSecurity; public String description; public boolean noCache = false;@@ -633,6 +635,8 @@ public class ConfigXMLReader {this.contentType = viewMapElement.getAttribute("content-type"); this.noCache = "true".equals(viewMapElement.getAttribute("no-cache")); this.encoding = viewMapElement.getAttribute("encoding"); + this.xFrameOption = viewMapElement.getAttribute("x-frame-options"); + this.strictTransportSecurity = viewMapElement.getAttribute("strict-transport-security"); this.description = UtilXml.childElementValue(viewMapElement, "description"); if (UtilValidate.isEmpty(this.page)) { this.page = this.name; Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1719660&r1=1719659&r2=1719660&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original) +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Sat Dec 12 11:37:56 2015 @@ -128,7 +128,7 @@ public class RequestHandler { public void doRequest(HttpServletRequest request, HttpServletResponse response, String chain, GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {- final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(+ final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase( "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator); long startTime = System.currentTimeMillis(); HttpSession session = request.getSession(); @@ -694,7 +694,7 @@ public class RequestHandler { viewName = nextRequestResponse.value; } if (UtilValidate.isEmpty(viewName) && UtilValidate.isNotEmpty(nextRequestResponse.value)) { - viewName = nextRequestResponse.value; + viewName = nextRequestResponse.value; } if (urlParams != null) { for (Map.Entry<String, Object> urlParamEntry: urlParams.entrySet()) { @@ -984,6 +984,26 @@ public class RequestHandler { UtilHttp.setResponseBrowserProxyNoCache(resp); if (Debug.verboseOn()) Debug.logVerbose("Sending no-cache headers for view [" + nextPage + "]", module); } + + String xFrameOption = viewMap.xFrameOption; + // default to sameorigin + if (UtilValidate.isNotEmpty(xFrameOption)) { + resp.addHeader("x-frame-options", xFrameOption); + } else { + resp.addHeader("x-frame-options", "sameorigin"); + } + + String strictTransportSecurity = viewMap.strictTransportSecurity; + // default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year + if (UtilValidate.isNotEmpty(strictTransportSecurity)) { + if (!"none".equals(strictTransportSecurity)) { + resp.addHeader("strict-transport-security", strictTransportSecurity); + } + } else { + if (EntityUtilProperties.getPropertyAsBoolean("requestHandler", "strict-transport-security", true)) { // FIXME later pass req.getAttribute("delegator") as last argument + resp.addHeader("strict-transport-security", "max-age=31536000; includeSubDomains"); + } + }try {if (Debug.verboseOn()) Debug.logVerbose("Rendering view [" + nextPage + "] of type [" + viewMap.type + "]", module); @@ -1024,7 +1044,7 @@ public class RequestHandler { */ @Deprecated public static String getDefaultServerRootUrl(HttpServletRequest request, boolean secure) { - Delegator delegator = (Delegator) request.getAttribute("delegator"); + Delegator delegator = (Delegator) request.getAttribute("delegator"); String httpsPort = EntityUtilProperties.getPropertyValue("url", "port.https", "443", delegator); String httpsServer = EntityUtilProperties.getPropertyValue("url", "force.https.host", delegator); String httpPort = EntityUtilProperties.getPropertyValue("url", "port.http", "80", delegator);
smime.p7s
Description: S/MIME Cryptographic Signature
