0047996: make core2/pos2 CSP ready - Openbravo Issue Tracking System

Openbravo Issue Tracking System - POS2

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0047996

POS2

Core

public

2021-11-05 07:33

2022-02-01 08:07

Reporter

alostale

Assigned To

Triage Platform Base

Priority

normal

Severity

minor

Reproducibility

have not tried

Status

acknowledged

Resolution

open

Platform

OS Version

Product Version

Target Version

Fixed in Version

Merge Request Status

Review Assigned To

OBNetwork customer

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0047996: make core2/pos2 CSP ready

Description

Core2 applications should support Content Security Policy (CSP) headers [1].

---
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP [^]

Steps To Reproduce

1. Configure app server to include CSP header by either:

a. setting it in Apache
or
b. setting it in Tomcat (ie. apply attached diff)

2. Run pos2 (in production mode) and ensure everything is working fine
-> check developers console to ensure no script execution was prevented

Proposed Solution

1. Remove all inline scripts (if any)
2(?) Decide whether this should mode should be used in CI. Note backoffice does not support CSP. Maybe running in report only mode [1] and ensure no reports are produced.

---
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only [^]

Additional Information

Tags

No tags attached.

Relationships

depends on	defect	0047837	closed	alostale	index.html has inline scripts
depends on	design defect	0047997	acknowledged	Triage Platform Base	can't print documents if CSP headers are set
Not all the children of this issue are yet resolved or closed.