Adding Content-Security-Policy support to HttpHeaderSecurityFilter

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Adding Content-Security-Policy support to HttpHeaderSecurityFilter

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

While replying to James's recent message about this filter's anti
click-jacking features[1], I was surprised to see that this filter
does not have any support for the Content-Security-Policy header.

Adding such support would be fairly simple: simply add a
"contentSecurityPolicy" attribute which gets dumped-out to every
response as a Content-Security-Policy header.

Any votes for/against?

- -chris

[1]
https://lists.apache.org/thread.html/rb9f6829febf9b56aef2888ea2b5a98ee13
b14326c42225fc04ec13e5%40%3Cusers.tomcat.apache.org%3E

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl56e2UACgkQHPApP6U8
pFgGBhAAwlMkjbBsvt2AcivfwVyknfaJDA1KMDHHGzi5dKWA4PueYIPc2c9Es66f
Cp45zsewQkeTSFv0bXNgHiMpn4u9QlqcODpU4/Ae7/B9Z2arsRiXUrpcB2d29+kI
bjzjLwYv2TYZpts3jP23B6GMUw20HMd9t6mlb2+YuXDGXd42c2s+AnEkgVhRk9Ul
5h2syLuPLJaNLY1JK9B+WHP3Il1gSwVodzXi5O1jCwaQrulLLHh6H48eLWS2fPn/
xdcvTSioHrPLuVBdin7UOaaSG69+gFjOVh6t0rzH0hBn9tJgg0txzijHy0ZuEqdv
9ONWCCuNu+7CaHv+tNmj4Wsr4kqBkfdr3tjNJK+3+B3nrhAftUxrgqhOfuMatXO2
9OomVEWv3Sgd5ssrBdx1LTI5+H6NCl19+SsVFtaYPEc0jXv6+okMrOugFQtrPs//
iJGtU8p5ioAyB2qFyPswUp3BSanryj+Pfcivydu5KUNK4EhP+oegmcNmz4/pWIcj
j3mvdCdeq+ncTM9kw8HESgxnH92EPxA8ZoexayLobpQtz5W7Oc6vvWUTv7pmms0f
D4hJ9om0fFPgRtQu3YAa/VyUWOEutoiDcY81602iSsWJZQYa+YDGof4ikJIjNaXH
X9i9TtA7GpvfrxrS8od4D/GIyl0xCmETwPwumDBuHh0ZdZmFgHc=
=S2dc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Adding Content-Security-Policy support to HttpHeaderSecurityFilter

markt
On 24/03/2020 21:28, Christopher Schultz wrote:

> All,
>
> While replying to James's recent message about this filter's anti
> click-jacking features[1], I was surprised to see that this filter
> does not have any support for the Content-Security-Policy header.
>
> Adding such support would be fairly simple: simply add a
> "contentSecurityPolicy" attribute which gets dumped-out to every
> response as a Content-Security-Policy header.
>
> Any votes for/against?

See: https://bz.apache.org/bugzilla/show_bug.cgi?id=58837

No objections to your proposal. I do wonder about the more general
solution but I don't see that as a reason not to do this.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Adding Content-Security-Policy support to HttpHeaderSecurityFilter

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 3/24/20 17:51, Mark Thomas wrote:

> On 24/03/2020 21:28, Christopher Schultz wrote:
>> All,
>>
>> While replying to James's recent message about this filter's
>> anti click-jacking features[1], I was surprised to see that this
>> filter does not have any support for the Content-Security-Policy
>> header.
>>
>> Adding such support would be fairly simple: simply add a
>> "contentSecurityPolicy" attribute which gets dumped-out to every
>> response as a Content-Security-Policy header.
>>
>> Any votes for/against?
>
> See: https://bz.apache.org/bugzilla/show_bug.cgi?id=58837
>
> No objections to your proposal. I do wonder about the more general
> solution but I don't see that as a reason not to do this.

My 2018 self was a little more skeptical. 2020 me thinks that it's
useful to bundle this into HttpHeaderSecurityFilter. CSP is a single
header, not a quite of things like the anti-clickjacking ended up
being. Using url-rewrite for a single header is unnecessarily complex.
Using Tomcat's rewrite for a single header might be reasonable, except
that we already have a Filter essentially built for this kind of thing.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl57dfMACgkQHPApP6U8
pFgG9A/+IuZbYcvNvi63rwVWWXk9G83mPlKTXbL0mkk5IKPm3mzXjMEdGPS8h79r
2F3iaEcl8lcrjmD+RFf3isAp0vrowhdlMbzSRXUtnWWdCPG3lQK2khZ0DmglNoyc
IA0mwd/B6ojVDYGEiZ8xEcqj6Tfez5xHEv1XW2E6ZF1VQRZtZbzLSeXHgOpK5Y/k
5cSEX+Pw/M+oyfU45xl0WKYHy3hq+pzfv07RMxUk9dGwXcIq5BYCIXV2cMrFj0qs
smjJ0Gn5nYU3yqzid2e/fVRTUv6SFDOxnTfya2Az0vzRvLnBoLiXtM3dlouD4Afl
5RYBTZdpX9ewV+Ra7Gz4SwuUvyHA2l4TAwAIPI84Bx5Iyz1hQYtEWUqi7G2Ae/pR
JeSreD/nOWdyXrWfcQZw7hdOgOJQyVm1Rqm9587hEUJZIMnR0HrGH/2o+T3ZP18n
Wv63XtYjZrpLzWmr+VrUuJcsz6PcLK76oBLxJ7PyqUMK23ilIV6KHP4fCxLW56hS
RFJa9jF937nuB7iP3CU2tx3A1hneqYdpXBNmBCnDcQ2glynoVnzBfJNBXLeO0C8U
7IGrHno1UrzednmDFy7XJxNHbJeYprmnM7X06Cbcy+Thiv4PYTUAKW/JD7hjJX+5
wVrNUuV8hiGUHe/0+sIRwlEftOUkMNiary/soodCLjdNvYyjuXY=
=ppvG
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]