0047996: make core2/pos2 CSP ready

Description

Core2 applications should support Content Security Policy (CSP) headers [1].

---
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP [^]

Steps To Reproduce

1. Configure app server to include CSP header by either:

a. setting it in Apache
or
b. setting it in Tomcat (ie. apply attached diff)

2. Run pos2 (in production mode) and ensure everything is working fine
-> check developers console to ensure no script execution was prevented

Proposed Solution

1. Remove all inline scripts (if any)
2(?) Decide whether this should mode should be used in CI. Note backoffice does not support CSP. Maybe running in report only mode [1] and ensure no reports are produced.

---
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only [^]

Tags

No tags attached.

Attached Files

tomcat-csp.diff [^] (1,050 bytes) 2021-11-05 07:40 [Show Content] [Hide Content]

diff --git a/src/org/openbravo/dal/core/DalRequestFilter.java b/src/org/openbravo/dal/core/DalRequestFilter.java
index 5859e9cc7b..059a558e3c 100644
--- a/src/org/openbravo/dal/core/DalRequestFilter.java
+++ b/src/org/openbravo/dal/core/DalRequestFilter.java
@@ -28,6 +28,7 @@ import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -77,6 +78,9 @@ public class DalRequestFilter implements Filter {
   @Override
   public void doFilter(final ServletRequest request, final ServletResponse response,
       final FilterChain chain) throws IOException, ServletException {
+    if (response instanceof HttpServletResponse) {
+      ((HttpServletResponse) response).setHeader("Content-Security-Policy", "script-src 'self'");
+    }
     final DalThreadHandler dth = new DalThreadHandler() {
 
       @Override

Relationships [ Relation Graph ] [ Dependency Graph ]

depends on	defect	0047837	closed	alostale	index.html has inline scripts
depends on	design defect	0047997	acknowledged	Triage Platform Base	can't print documents if CSP headers are set
Not all the children of this issue are yet resolved or closed.

Notes
There are no notes attached to this issue.

Issue History
Date Modified	Username	Field	Change
2021-11-05 07:33	alostale	New Issue
2021-11-05 07:33	alostale	Assigned To	=> platform
2021-11-05 07:33	alostale	OBNetwork customer	=> No
2021-11-05 07:33	alostale	Triggers an Emergency Pack	=> No
2021-11-05 07:33	alostale	Issue generated from	0047837
2021-11-05 07:33	alostale	Relationship added	depends on 0047837
2021-11-05 07:40	alostale	File Added: tomcat-csp.diff
2021-11-05 07:50	alostale	Relationship added	depends on 0047997
2021-12-16 10:30	caristu	Status	new => acknowledged
2022-02-01 08:07	alostale	Assigned To	platform => Triage Platform Base