(ofbiz-framework) branch trunk updated: Improved: Configure the CSP policy in security.properties (OFBIZ-11951)

Sat, 16 Mar 2024 11:03:46 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new a2df23874a Improved: Configure the CSP policy in security.properties 
(OFBIZ-11951)
a2df23874a is described below

commit a2df23874ad23aec0af6e26ef09ea568ab073b4e
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sat Mar 16 18:58:58 2024 +0100

    Improved: Configure the CSP policy in security.properties (OFBIZ-11951)
    
    As suggested by Alex Bodnaru at OFBIZ-11889 it would be better to have the 
CSP
    policy in a configuration file, security.properties fits
---
 .../base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java  | 9 ++++++++-
 framework/security/config/security.properties                    | 9 +++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index 3ba66da041..eb8515e2d1 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -1267,7 +1267,14 @@ public final class UtilHttp {
          **/
         resp.addHeader("X-XSS-Protection", "1; mode=block");
         resp.setHeader("Referrer-Policy", "no-referrer-when-downgrade"); // 
This is the default (in Firefox at least)
-        resp.setHeader("Content-Security-Policy-Report-Only", "default-src 
'self'");
+
+        if (EntityUtilProperties.getPropertyAsBoolean("security", 
"useContent-Security-Policy", true)) {
+            String contentSecurityPolicy = 
EntityUtilProperties.getPropertyValueFromDelegatorName(
+                    "security", "Content-Security-Policy", 
"Content-Security-Policy-Report-Only", "default");
+            String policyDirectives = 
EntityUtilProperties.getPropertyValueFromDelegatorName(
+                    "security", "PolicyDirectives", "default-src 'self'", 
"default");
+            resp.setHeader(contentSecurityPolicy, policyDirectives);
+        }
         SameSiteFilter.addSameSiteCookieAttribute(resp);
         // TODO in custom project. Public-Key-Pins-Report-Only is interesting 
but can't be used OOTB because of demos (the letsencrypt certificate
         // is renewed every 3 months)
diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 94f4c4a296..63407fc306 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -313,3 +313,12 @@ allowedURIsForFreemarkerInterpolation=
 
 #-- Configure if after-login events are run in doMainLogin (default) or in do 
BasicLogin
 security.login.loginEventsAfterBasicLogin=N
+
+#-- Use Content-Security-Policy or not
+useContent-Security-Policy=true
+
+#-- Type of Content-Security-Policy when used
+Content-Security-Policy=Content-Security-Policy-Report-Only
+
+#-- Define policy directives, see 
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+PolicyDirectives=default-src 'self'

Reply via email to