root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Polish content security policy contribution 

See gh-7373
See gh-7373
This commit is contained in:
Phillip Webb 2016-11-16 14:27:33 -08:00
parent d7bbea63b7
commit 238c22cd73
3 changed files with 23 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
View File

@ -175,15 +175,17 @@ public class SecurityProperties implements SecurityPrerequisite {
}
public enum ContentSecurityPolicyMode {
/**
* Use the {@code Content-Security-Policy} header.
* Use the 'Content-Security-Policy' header.
*/
DEFAULT,
/**
* Use the {@code Content-Security-Policy-Report-Only} header.
* Use the 'Content-Security-Policy-Report-Only' header.
*/
REPORT_ONLY
}
/**
@ -212,7 +214,7 @@ public class SecurityProperties implements SecurityPrerequisite {
private String contentSecurityPolicy;
/**
* Whether to use the "Content-Security-Policy" or "Content-Security-Policy-Report-Only" header.
* Security policy mode.
*/
private ContentSecurityPolicyMode contentSecurityPolicyMode = ContentSecurityPolicyMode.DEFAULT;
@ -265,7 +267,8 @@ public class SecurityProperties implements SecurityPrerequisite {
return this.contentSecurityPolicyMode;
}
public void setContentSecurityPolicyMode(ContentSecurityPolicyMode contentSecurityPolicyMode) {
public void setContentSecurityPolicyMode(
ContentSecurityPolicyMode contentSecurityPolicyMode) {
this.contentSecurityPolicyMode = contentSecurityPolicyMode;
}

10
spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
View File

@ -29,6 +29,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers;
import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode;
import org.springframework.boot.autoconfigure.web.ErrorController;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
@ -109,12 +110,13 @@ public class SpringBootWebSecurityConfiguration {
configurer.contentTypeOptions().disable();
}
if (StringUtils.hasText(headers.getContentSecurityPolicy())) {
if (headers.getContentSecurityPolicyMode() == Headers.ContentSecurityPolicyMode.DEFAULT) {
configurer.contentSecurityPolicy(headers.getContentSecurityPolicy());
String policyDirectives = headers.getContentSecurityPolicy();
ContentSecurityPolicyMode mode = headers.getContentSecurityPolicyMode();
if (mode == ContentSecurityPolicyMode.DEFAULT) {
configurer.contentSecurityPolicy(policyDirectives);
}
else {
assert headers.getContentSecurityPolicyMode() == Headers.ContentSecurityPolicyMode.REPORT_ONLY;
configurer.contentSecurityPolicy(headers.getContentSecurityPolicy()).reportOnly();
configurer.contentSecurityPolicy(policyDirectives).reportOnly();
}
}
if (!headers.isXss()) {

17
spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java
View File

@ -214,7 +214,8 @@ public class SpringBootWebSecurityConfigurationTests {
is(notNullValue())))
.andExpect(MockMvcResultMatchers.header().string("X-Frame-Options",
is(notNullValue())))
.andExpect(MockMvcResultMatchers.header().doesNotExist("Content-Security-Policy"));
.andExpect(MockMvcResultMatchers.header()
.doesNotExist("Content-Security-Policy"));
}
@Test
@ -250,9 +251,10 @@ public class SpringBootWebSecurityConfigurationTests {
.getBean("springSecurityFilterChain", Filter.class))
.build();
mockMvc.perform(MockMvcRequestBuilders.get("/"))
.andExpect(MockMvcResultMatchers.header().string("Content-Security-Policy",
is("default-src 'self';")))
.andExpect(MockMvcResultMatchers.header().doesNotExist("Content-Security-Policy-Report-Only"));
.andExpect(MockMvcResultMatchers.header()
.string("Content-Security-Policy", is("default-src 'self';")))
.andExpect(MockMvcResultMatchers.header()
.doesNotExist("Content-Security-Policy-Report-Only"));
}
@Test
@ -266,9 +268,10 @@ public class SpringBootWebSecurityConfigurationTests {
.getBean("springSecurityFilterChain", Filter.class))
.build();
mockMvc.perform(MockMvcRequestBuilders.get("/"))
.andExpect(MockMvcResultMatchers.header().string("Content-Security-Policy-Report-Only",
is("default-src 'self';")))
.andExpect(MockMvcResultMatchers.header().doesNotExist("Content-Security-Policy"));
.andExpect(MockMvcResultMatchers.header().string(
"Content-Security-Policy-Report-Only", is("default-src 'self';")))
.andExpect(MockMvcResultMatchers.header()
.doesNotExist("Content-Security-Policy"));
}
@Configuration