[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem
[ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17827731#comment-17827731 ] ASF subversion and git services commented on OFBIZ-11889: - Commit a2df23874ad23aec0af6e26ef09ea568ab073b4e in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=a2df23874a ] Improved: Configure the CSP policy in security.properties (OFBIZ-11951) As suggested by Alex Bodnaru at OFBIZ-11889 it would be better to have the CSP policy in a configuration file, security.properties fits > fixes for csp-report subsystem > -- > > Key: OFBIZ-11889 > URL: https://issues.apache.org/jira/browse/OFBIZ-11889 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Release Branch 17.12, Trunk, Upcoming Branch >Reporter: Alex Bodnaru >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-11889.patch, csp-report.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > added report-uri and unsafe-inline support for csp report. > added handling of csp-reports and logging them as errors. > unhandled reports are poluting the browser error console. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem
[ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17446421#comment-17446421 ] Jacques Le Roux commented on OFBIZ-11889: - I have tried using this modified patch [^OFBIZ-11889.patch] (fixed issues in CSPEvents class) but I always get an empty value in request body. Anyway report-uri will be replaced tu report-to*. I'll wait for that. * https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Content-Security-Policy/report-to > fixes for csp-report subsystem > -- > > Key: OFBIZ-11889 > URL: https://issues.apache.org/jira/browse/OFBIZ-11889 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Release Branch 17.12, Trunk >Reporter: Alex Bodnaru >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-11889.patch, csp-report.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > added report-uri and unsafe-inline support for csp report. > added handling of csp-reports and logging them as errors. > unhandled reports are poluting the browser error console. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem
[ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17158142#comment-17158142 ] Jacques Le Roux commented on OFBIZ-11889: - bq. i'd think it better to be in a configuration file, but it's not urgent. I agree with you, this is something I missed, developer instinct ;) > fixes for csp-report subsystem > -- > > Key: OFBIZ-11889 > URL: https://issues.apache.org/jira/browse/OFBIZ-11889 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Release Branch 17.12, Trunk >Reporter: Alex Bodnaru >Assignee: Jacques Le Roux >Priority: Major > Attachments: csp-report.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > added report-uri and unsafe-inline support for csp report. > added handling of csp-reports and logging them as errors. > unhandled reports are poluting the browser error console. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem
[ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17158064#comment-17158064 ] Alex Bodnaru commented on OFBIZ-11889: -- cool, thanks Jacques > fixes for csp-report subsystem > -- > > Key: OFBIZ-11889 > URL: https://issues.apache.org/jira/browse/OFBIZ-11889 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Release Branch 17.12, Trunk >Reporter: Alex Bodnaru >Assignee: Jacques Le Roux >Priority: Major > Attachments: csp-report.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > added report-uri and unsafe-inline support for csp report. > added handling of csp-reports and logging them as errors. > unhandled reports are poluting the browser error console. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem
[ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17158012#comment-17158012 ] Jacques Le Roux commented on OFBIZ-11889: - OK, I'll have a look at what we can do here. I really would like to have a clean browser log too, and I was the one who put CSP in, so... > fixes for csp-report subsystem > -- > > Key: OFBIZ-11889 > URL: https://issues.apache.org/jira/browse/OFBIZ-11889 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Release Branch 17.12, Trunk >Reporter: Alex Bodnaru >Assignee: Jacques Le Roux >Priority: Major > Attachments: csp-report.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > added report-uri and unsafe-inline support for csp report. > added handling of csp-reports and logging them as errors. > unhandled reports are poluting the browser error console. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem
[ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17157926#comment-17157926 ] Alex Bodnaru commented on OFBIZ-11889: -- hi [~jleroux] , i agree to all your comments. though the csp is not the most important header in ofbiz, i'd think it better to be in a configuration file, but it's not urgent. a good day, > fixes for csp-report subsystem > -- > > Key: OFBIZ-11889 > URL: https://issues.apache.org/jira/browse/OFBIZ-11889 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Release Branch 17.12, Trunk >Reporter: Alex Bodnaru >Assignee: Jacques Le Roux >Priority: Major > Attachments: csp-report.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > added report-uri and unsafe-inline support for csp report. > added handling of csp-reports and logging them as errors. > unhandled reports are poluting the browser error console. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11889) fixes for csp-report subsystem
[ https://issues.apache.org/jira/browse/OFBIZ-11889?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17157874#comment-17157874 ] Jacques Le Roux commented on OFBIZ-11889: - Hi Alex, Thanks for your interesting patch. I understand your POV: a clean log in browser and I much agree with that (it's awful at the moment). But as I said already I'm against using unsafe-inline for security reason: https://content-security-policy.com/unsafe-inline/ As explained in this page it would be OK coupled with strict-dynamic. Among the "major" browsers only IE (not a major browser anymore) is not able to cope with it. We should not worry about that, IE is non longer supported (only in Windows < 8) and it's the responsability of users to take care of their own security, as main browsers and more and more sites warn you and even sometimes don't load. So if you are up for it, let's go... About your patch, you certainly did not use trunk HEAD to create it, but your own modified version (no unsafe-inline in trunk). Please remember to stash, pull and check before creating your patches or PRs. Also I believe the best place for {{}} is not in webtools controller but in common-controller. > fixes for csp-report subsystem > -- > > Key: OFBIZ-11889 > URL: https://issues.apache.org/jira/browse/OFBIZ-11889 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Release Branch 17.12, Trunk >Reporter: Alex Bodnaru >Priority: Major > Attachments: csp-report.patch > > Original Estimate: 1h > Remaining Estimate: 1h > > added report-uri and unsafe-inline support for csp report. > added handling of csp-reports and logging them as errors. > unhandled reports are poluting the browser error console. -- This message was sent by Atlassian Jira (v8.3.4#803005)