예제 #1
0
  /**
   * Check if CSP Header setting is already inherited from one.app (top level context) See
   * https://www.w3.org/TR/CSP2/#which-policy-applies
   *
   * @param defDesc
   * @param req
   * @return true if CSP header setting can be skipped
   */
  private boolean canSkipCSPHeader(final DefDescriptor<?> defDesc, final HttpServletRequest req) {
    if (defDesc == null | req == null) {
      return false;
    }

    // CSP inheritance is supported starting from CSP2
    if (!isCSP2Supported(req)) {
      return false;
    }

    final String descriptorName = defDesc.getDescriptorName();
    if (!descriptorName.equals("one:one")) { // only skip while loading one.app
      return false;
    }

    final String auraFormat = req.getParameter("aura.format");
    if (auraFormat != null && auraFormat.equals("HTML")) {
      return false;
    }

    // Skip one.app requests for non HTML content with already established aura context
    final String auraContext = req.getParameter("aura.context");
    if (auraContext != null) {
      return true;
    }

    return false;
  }
예제 #2
0
  /** Sets mandatory headers, notably for anti-clickjacking. */
  @Override
  public void setCSPHeaders(DefDescriptor<?> top, HttpServletRequest req, HttpServletResponse rsp) {

    if (canSkipCSPHeader(top, req)) {
      return;
    }

    ContentSecurityPolicy csp =
        configAdapter.getContentSecurityPolicy(top == null ? null : top.getQualifiedName(), req);

    if (csp != null) {
      rsp.setHeader(CSP.Header.SECURE, csp.getCspHeaderValue());
      Collection<String> terms = csp.getFrameAncestors();
      if (terms != null) {
        // not open to the world; figure whether we can express an X-FRAME-OPTIONS header:
        if (terms.size() == 0) {
          // closed to any framing at all
          rsp.setHeader(HDR_FRAME_OPTIONS, HDR_FRAME_DENY);
        } else if (terms.size() == 1) {
          // With one ancestor term, we're either SAMEORIGIN or ALLOWFROM
          for (String site : terms) {
            if (site == null) {
              // Add same-origin headers and policy terms
              rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_SAMEORIGIN);
            } else if (!site.contains("*") && !site.matches("^[a-z]+:$")) {
              // XFO can't express wildcards or protocol-only, so set only for a specific site:
              rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_ALLOWFROM + site);
            } else {
              // When XFO can't express it, still set an ALLOWALL so filters don't jump in
              rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_ALLOWALL);
            }
          }
        }
      }
    }
  }