Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
At OFBIZ-6766 I have added a Content Security Policy
To not block anything for the moment I have committed an only report policy using the Content-Security-Policy-Report-Only header.
The idea is that we can look at the issues using browsers tools.
The next step is to report the errors (when there will not be too much) in the log using a report-uri
And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever).
If we encounter performance issues, or other disagrements, we can even we can comment out the current Content-Security-Policy-Report-Only
Sincerely I think it will be let as is and we will let users decide on their own CSP... So the report only mode is just a reminder for them...
Attachments
Issue Links
- is part of
-
OFBIZ-6766 Secure HTTP headers
-
- Closed
-