Release Notes / Version 12.2404
Table Of Contents
CAE HTTP security now supports configuration of the
Content-Security-Policy
response header via
cae.http-headers.csp.directives
. It has been set to
a same-origin-only policy as recommended by the
OWASP
CSP cheat sheet. The Spring dev
profile
configures report-only mode for Live CAE and disables CSP for the
Preview CAE.
Additionally, for HTTP requests to the Live CAE, the
X-XSS-Protection
response header has been disabled.
Even though setting the X-XSS-Protection
response
header can protect users of older web browsers that don't yet support
CSP, in some cases, XSS protection can create XSS vulnerabilities in
otherwise safe websites. Therefore, it is recommended to use the
Content-Security-Policy
without allowing
unsafe-inline
scripts instead. For further
information, see
X-XSS-Protection
in Mozilla Developer Resources and
OWASP
Content Security Policy Cheat Sheet.
(CMS-23644)