We got a report from a application that finds vulnerabilities on pages and one of the warnings was that Outsystems uses relative url for the css files and because of that is possible to do RPO attacks. http://www.thespanner.co.uk/2014/03/21/rpo/. Anyone knows if this is really a problem. If yes how can we make Outsystems use absolute url?




I am not sure if it's really an issue, because it's a root-relative path and not relative paths.

Hi Marcelo,

At least one of the css files is relative. The one from the theme (if the theme is on the same module).

One workaround is to isolate the theme in another module and use that theme by referencing it.

@J, from what I've read, it's a security issue (even if on the pages there's the "<!DOCTYPE html>" which explicit states that the document is html and not CSS)