Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0047837 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [POS2] Core | minor | have not tried | 2021-10-13 09:10 | 2021-11-11 07:01 | |||
| Reporter | alostale | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | ||||
| Status | closed | Fix in branch | Fixed in SCM revision | |||||
| Projection | none | ETA | none | Target Version | ||||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | ||||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0047837: index.html has inline scripts | |||||||
| Description | Core2 applications' index.html has some inline scripts. This is a discouraged practice. Its execution would be prevented if an strict CSP is put in place [1]. --- [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP [^] | |||||||
| Steps To Reproduce | 1. Configure app server to include CSP header by either: a. setting it in Apache or b. setting it in Tomcat (ie. apply attached diff) 2. Run pos2 (in production mode) -> ERROR: it is not rendered | |||||||
| Tags | No tags attached. | |||||||
| Attached Files |  tomcat-csp.diff [^] (1,050 bytes) 2021-10-13 09:11 [Show Content]
| |||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||||
|
|||||||||||||||||
 Relationships |
|
Notes |
|
|
(0132365) hgbot (developer) 2021-10-15 13:21 |
Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/650 [^] |
|
(0132947) hgbot (developer) 2021-11-11 07:01 |
Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/650 [^] |
|
(0132948) hgbot (developer) 2021-11-11 07:01 |
Directly closing issue as related merge request is already approved. Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2 [^] Changeset: d6faee6d1115154bb728de8624a2428a178827b0 Author: Asier Lostalé <asier.lostale@openbravo.com> Date: 2021-11-11T05:59:41+00:00 URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/commit/d6faee6d1115154bb728de8624a2428a178827b0 [^] fixed ISSUE-47837: index.html has inline scripts It fixes the two inline scripts that were present in index.html when served in production mode: 1. prevents CRA to inline script in index.html By default when CRA builds the production bundle, inlines the main script in the index.html file. Adding the INLINE_RUNTIME_CHUNK=false environment variable to the build prevents this behavior importing the script from a separate file. 2. removes title setter inline script in index.html This inline script using CRA's variable substitution to set the application's title cannot direclty be used with the same mechanism from js files as substitution occurs only in index.html. Setting the title has been moved to initialization phase. --- M src/org/openbravo/core2/build/ProductionBundleBuilder.java M web-jspack/org.openbravo.core2/public/index.html M web-jspack/org.openbravo.core2/src/core/AppInitializer.js M web-jspack/org.openbravo.core2/src/core/Initialization.js --- |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2021-10-13 09:10 | alostale | New Issue | |
| 2021-10-13 09:10 | alostale | Assigned To | => Retail |
| 2021-10-13 09:10 | alostale | Triggers an Emergency Pack | => No |
| 2021-10-13 09:11 | alostale | File Added: tomcat-csp.diff | |
| 2021-10-13 09:12 | alostale | Relationship added | related to 0046950 |
| 2021-10-13 09:17 | alostale | Proposed Solution updated | |
| 2021-10-15 13:21 | hgbot | Note Added: 0132365 | |
| 2021-10-18 11:28 | guilleaer | Status | new => scheduled |
| 2021-10-18 11:28 | guilleaer | Assigned To | Retail => alostale |
| 2021-11-05 07:33 | alostale | Issue cloned | 0047996 |
| 2021-11-05 07:33 | alostale | Relationship added | blocks 0047996 |
| 2021-11-05 07:39 | alostale | Type | feature request => defect |
| 2021-11-05 07:39 | alostale | Summary | make core2/pos2 CSP ready => index.html has inline scripts |
| 2021-11-05 07:39 | alostale | Description Updated | View Revisions |
| 2021-11-05 07:39 | alostale | Steps to Reproduce Updated | View Revisions |
| 2021-11-05 07:39 | alostale | Proposed Solution updated | |
| 2021-11-11 07:01 | hgbot | Note Added: 0132947 | |
| 2021-11-11 07:01 | hgbot | Resolution | open => fixed |
| 2021-11-11 07:01 | hgbot | Status | scheduled => closed |
| 2021-11-11 07:01 | hgbot | Note Added: 0132948 | |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |