Static web files can currently be stored in the GeoServer data directory and accessed externally through multiple methods which can complicate securing access to these files. The purpose of this issue is to change the response headers for static HTML and JavaScript files in the data directory so that web browsers will only be able to load those files properly from the www subdirectory, which is the intended method for GeoServer to serve these files. A system property will also be added that defaults to false and must be explicitly enabled by an administrator for static web files to work properly.
Environment
None
Activity
Jody Garnett March 3, 2024 at 7:16 PM
I am hunting down issues that are actually merged, but still open in version control.
Medium
Static web files can currently be stored in the GeoServer data directory and accessed externally through multiple methods which can complicate securing access to these files. The purpose of this issue is to change the response headers for static HTML and JavaScript files in the data directory so that web browsers will only be able to load those files properly from the www subdirectory, which is the intended method for GeoServer to serve these files. A system property will also be added that defaults to false and must be explicitly enabled by an administrator for static web files to work properly.