Does Liferay 6.2 provide any support for setting Content-Security-Policy response headers through configuration?
I do not want to add an (admittedly simple) ServletFilter if the support is already there.
Thanks
portal doesn't support CSP because it contains inline JavaScript and I believe also JS templates that evaluate during runtime.
Related
The MS documentation for the supported version of Handlebars says v4.6.7 (Runtime) and v4.7.7 (Compiler) are supported.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/page-layout
I have a custom B2C policy using the latest version of the selfasserted page layout
<DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.10</DataUri>.
This page is returning v4.6.7 of Handlebars. Our testing has identified an issue with this version and we need to use v4.7.7.
I can't find B2C documentation on how to implement the compiled version for v4.7.7' using a custom page layout.
Do I need to download handlebars v4.7.7 and reference it in my custom templet page or is there a parameter in the custom policy to enforce the compiler version (v4.7.7)
Any pointers would be greatly appreciated.
Thanks
We control what is rendered here by the page layout version you select, there is nothing else to configure. Make sure the content definition you are putting the page layout in, is referenced by the self asserted technical profile that’s displaying the page you’re inspecting.
I am just learning Umbraco and I have a basic template that has just one alias. What kind of controller should I code for it? Could you please give me an example to reach my alias from js frameworks?
Solution
I have used UmbracoCms.RestApi extension from NuGet and solved my problem.
You can use default endpoints to get properties that you have created in Umbraco Cms before with that extension. There is a video about that.
We recently has a security consultant take a look at our application built using vaadin. We are still on version 6.
Following are the advices given to implement
"X-Frame-Options" in the header.
Content-Security-Policy:script-src'self
X-Content-Type-Options:nosniff
X-FrameOptions:SAMEORIGIN
Configure web server to include response header-X-XSS-Protection:1;mode=block
My question is, considering vaadin pays attention to security, how does vaadin cope with this situation?
on oficial documentation of vaadin for 6 version there is no information available.
Also found this solution , but not sure, it will work or not. Also on vaadin forum there is no solution thread availble for this.
Those headers are not directly within Vaadin's sphere of influence. Vaadin could in theory add such headers to responses that it manages, but there are also some scenarios when some of them wouldn't be appropriate which is why they aren't added by default.
For that reason, I would recommend that you configure your hosting environment (e.g. load balancer or application server) to include the header values that you want in all relevant responses. Another alternative is to create a simple Servlet Filter that adds the headers. A variation of that is described in the answer that you linked to.
The Application Insights extensions in Visual Studio and Azure appear to inject the javascript snippet for page view tracking automatically, even though the docs say you enable this with an Application Setting key "APPINSIGHTS_JAVASCRIPT_ENABLED" = true.
Other docs show how to add the same javascript in my layout view, which I did. As a result I'm now seeing the AI javascript twice, once from my view, once from the AI magic. I'd prefer to control this myself -- how can I prevent the tooling from modifying the pages to inject the script? Setting APPINSIGHTS_JAVASCRIPT_ENABLED to false doesn't seem to work.
I'm working in an ASP.NET Core 2.0 web application.
Try upgrading to the lastest version of Microsoft.ApplicationInsights.AspNetCore. They released a new version (2.2.0) today, which resolved the problem for me! The javascript part is not added automatically anymore!
I copied jquery.js to WebContent/js/jquery/jquery.js. Now I want to use that file in certain portlets. To do this I created a liferay-portlet.xml that looks like this:
<?xml version="1.0"?>
<!DOCTYPE liferay-portlet-app PUBLIC
"-//Liferay//DTD Portlet Application 6.0.0//EN"
"http://www.liferay.com/dtd/liferay-portlet-app_6_0_0.dtd">
<liferay-portlet-app>
<portlet>
<portlet-name>MyPortletName</portlet-name>
<header-portal-javascript>/js/jquery/jquery.js</header-portal-javascript>
</portlet>
</liferay-portlet-app>
If I access the portlet Liferay generates this line:
<script src="/js/jquery/jquery.js?browserId=firefox&minifierType=js&languageId=en_US&b=6100&t=1326630657000" type="text/javascript"></script>
That leads to a WARN [404_jsp:?] /js/jquery/jquery.js in the logging console.
Is it really correct that the URL looks like this? If I had two war-files, both containing a js-file with the same path, how would Liferay distinguish those two?
What do I need to do to get my setup working?
Using Liferay Portal Community Edition 6.1.0 CE (Paton / Build 6100 / December 15, 2011)
Use
<header-portlet-javascript>/js/jquery/jquery.js</header-portlet-javascript>
isntead of
<header-portal-javascript>/js/jquery/jquery.js</header-portal-javascript>
if you put js-files in to portlet
Because regarding comments in DTD, header-portal-javascript sets the path of JavaScript relative to the portal's context path. And header-portlet-javascript sets the path of JavaScript relative to the portlet's context path.
The location for jQuery looks incorrect.
If you're bundling this with your own plugin named foobar-portlet the correct path would be (provided that you use the same liferay-portlet.xml):
foobar-portlet/docroot/js/jquery/jquery.js
Two things:
jQuery is bundled with Liferay 5, check the version of Liferay and which jQuery version it has bundled and see if this meets your needs. However I believe it's not in Liferay 6 or 6.1, but I could be wrong about that.
And:
If you want to have a JavaScript library available to all of your portlets you're better off adding it to the theme(s) that you use rather than the portlets. This way it will be globally accessible. The downside is that if you're distributing your portlet then you should make people aware of this dependency.
Otherwise if you just want it available to a small group of your portlets, then follow what RP said.
Here's some good reference on using jQuery with Liferay 6.