Scribd
Upload
41 views

Applies To

- Oracle HTTP Server can be configured to return response headers with Content-Security-Policy and related headers like report-uri. - The browser processes CSP headers, not the web server, so OHS simply returns the headers without processing them. - OHS has no limitations on what CSP response header names and values it can return to the browser like any other response headers.

Uploaded by

Osman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

Applies To

- Oracle HTTP Server can be configured to return response headers with Content-Security-Policy and related headers like report-uri. - The browser processes CSP headers, not the web server, so OHS simply returns the headers without processing them. - OHS has no limitations on what CSP response header names and values it can return to the browser like any other response headers.

Uploaded by

Osman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

3/13/24, 2:27 PM Document 2698559.

1
PoweLast Login: March 13, 2024 11:48 AM AST Switch to Cloud Support abdul (Available) (0) Contact Us Help

Dashboard Knowledge Service Requests Patches & Updates Community

Give Feedback...
Copyright (c) 2024, Oracle. All rights reserved. Oracle Confidential.

Does Oracle HTTP Server Support Content Security Policy (CSP) Content-Security-Policy-Report-Only Header and To Bottom
report-uri Header Value (Doc ID 2698559.1)

In this Document Was this document helpful?

Goal Yes
No
Solution
References
Document Details

Type:
HOWTO
Status:
APPLIES TO: Last Major
PUBLISHED
Aug 6, 2020
Update:
Sep 12, 2023
Oracle HTTP Server - Version 11.1.1.2.0 and later Last Update:
Information in this document applies to any platform.

Related Products
GOAL
Oracle HTTP Server

Explain Oracle HTTP Server's role with Content-Security-Policy(CSP) usage.


Using following two questions as example. Information Centers
Information Center: Oracle
Does OHS support the "report-uri" directive of CSP? e.g. HTTP Server [2272366.2]
Header set Content-Security-Policy: "default-src 'self'; report-uri /<APP_NAME>"
Header set Content-Security-Policy: "default-src 'self'; report-uri https://<FQDN>/<APP_NAME>" Get Proactive with Fusion
Middleware : Find Product
Certifications [1532687.2]
Does OHS support the CSP Report Only header "Content-Security-Policy-Report-Only"? e.g.
Header set Content-Security-Policy-Report-Only: "default-src 'self'; report-uri /<APP_NAME>"
Document References
No References available for
SOLUTION this document.

CSP is a browser side mechanism. Web servers such as OHS can be configured to return Response Headers with specific CSP Recently Viewed
header names and values.
Browsers process the CSP header and values, processing is outside of the control of OHS. iProcurement Punchout Error
: Invalid Redirect Has Been
Blocked [2288337.1]
OHS can be configure to return Response header name/parameters, there is little limitation on what can be configured for
Response header names and values. FAQ: Oracle E-Business Suite
Security [2063486.1]
Reference: http://httpd.apache.org/docs/2.2/mod/mod_headers.html
12.2.6 Reset Password
e.g.
Options: Generate
Header set TestHeader "some-src 'self'; some-uri /index.html" Automatically and Enter
Manually Options Are
Similarly Response header name/values can be set to CSP related values. OHS will return these headers to the browser as with Missing In User Management
any other Response headers. There is no limitation on OHS in this respect. &gt; Users Page [2260179.1]
Cannot Change Some
Summary: User&#39;s Password When
Signon Password No Reuse
Is Set [2822396.1]
Browser must be able to support the CSP Response header name/values
CSP report-uri is not processed by OHS, it is processed by the browser. If the request is send back to OHS, then the Error &quot;BEA-090716:
Failed to retrieve identity
application is expected to be available to handle the request. key/certificate from keystore
CSP Content-Security-Policy-Report-Only header can be returned by OHS as any other response header, there is no {1} under alias {2} on
processing by OHS. server {0}&quot; After
Converting PKCS12 to JKS
Keystore [2616586.1]
If concern is about Cross-Site Scripting (XSS) vulnerabilities please review following: Show More
Oracle HTTP Server Recommendations to Prevent Cross-Site Scripting (XSS) Attacks (Doc ID 2370975.1)
How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts Using OHS and WLS Applications (Doc ID
2040420.1)

REFERENCES

https://docs.report-uri.com/setup/csp/
https://test.report-uri.com/r/d/csp/wizard
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
https://en.wikipedia.org/wiki/Content_Security_Policy
Didn't find what you are looking for? Ask in Community...

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=279969228549434&parent=EXTERNAL_SEARCH&sourceId=HOWTO&id=2698… 1/2
3/13/24, 2:27 PM Document 2698559.1

Related
Products
Middleware > Application Servers > Oracle Application Server > Oracle HTTP Server > MICC Transfer to TSC

Back to Top
Copyright (c) 2024, Oracle. All rights reserved. Legal Notices and Terms of Use Privacy Statement

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=279969228549434&parent=EXTERNAL_SEARCH&sourceId=HOWTO&id=2698… 2/2

You might also like