/** * Check if CSP Header setting is already inherited from one.app (top level context) See * https://www.w3.org/TR/CSP2/#which-policy-applies * * @param defDesc * @param req * @return true if CSP header setting can be skipped */ private boolean canSkipCSPHeader(final DefDescriptor<?> defDesc, final HttpServletRequest req) { if (defDesc == null | req == null) { return false; } // CSP inheritance is supported starting from CSP2 if (!isCSP2Supported(req)) { return false; } final String descriptorName = defDesc.getDescriptorName(); if (!descriptorName.equals("one:one")) { // only skip while loading one.app return false; } final String auraFormat = req.getParameter("aura.format"); if (auraFormat != null && auraFormat.equals("HTML")) { return false; } // Skip one.app requests for non HTML content with already established aura context final String auraContext = req.getParameter("aura.context"); if (auraContext != null) { return true; } return false; }