Package net.sf.basedb.clients.web.servlet

Class ContentSecurityPolicyFilter

java.lang.Object

net.sf.basedb.clients.web.servlet.ContentSecurityPolicyFilter

All Implemented Interfaces:

Filter

public final class ContentSecurityPolicyFilter
extends Object
implements Filter

This is a filter that sets the "Content-Security-Policy" header in the http response. See http://base.thep.lu.se/ticket/1712 for more information.

Since:

3.3

Author:

Nicklas

Last modified

$Date$

Field Summary

Fields

Modifier and Type	Field	Description
private String	cspHeader
private static Pattern	PATH_MATCH
private String	policy
private boolean	reportOnly
private static boolean	UNSAFE_INLINE_SCRIPTS_ARE_ALLOWED
private static Set<String>	unsafeResources
private String	unsafeResourcesPolicy

Constructor Summary

Constructors

Constructor	Description
ContentSecurityPolicyFilter()

Method Summary

Modifier and Type	Method	Description
private String	addReportUriIfNeeded(String policy, FilterConfig config)
void	destroy()
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
void	init(FilterConfig config)
static boolean	isUnsafeInlineScriptsAllowed()	Checks if the current policy allows 'unsafe-inline' for the 'script-src' attribute.
static void	setSafeResources(String jarName, boolean safeResources)	Set a flag indicating if resources from the given extension JAR file are should use the regular policy or the 'unsafe-resources' policy.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

UNSAFE_INLINE_SCRIPTS_ARE_ALLOWED

private static boolean UNSAFE_INLINE_SCRIPTS_ARE_ALLOWED

unsafeResources

private static final Set<String> unsafeResources

PATH_MATCH

private static final Pattern PATH_MATCH

policy

private String policy

unsafeResourcesPolicy

private String unsafeResourcesPolicy

reportOnly

private boolean reportOnly

cspHeader

private String cspHeader

Constructor Details

ContentSecurityPolicyFilter

public ContentSecurityPolicyFilter()

Method Details

isUnsafeInlineScriptsAllowed

public static boolean isUnsafeInlineScriptsAllowed()

Checks if the current policy allows 'unsafe-inline' for the 'script-src' attribute. If not we need to check extensions and display a warning to the admin that the extension may not work.

setSafeResources

public static void setSafeResources(String jarName,
boolean safeResources)

Set a flag indicating if resources from the given extension JAR file are should use the regular policy or the 'unsafe-resources' policy.

init

public void init(FilterConfig config)

Specified by:

init in interface Filter

destroy

public void destroy()

Specified by:

destroy in interface Filter

doFilter

public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
              throws IOException,
ServletException

Specified by:

doFilter in interface Filter

Throws:

IOException

ServletException

addReportUriIfNeeded

private String addReportUriIfNeeded(String policy,
FilterConfig config)