NotificationsYou must be signed in to change notification settings
Fork122
Star236

Commitf6cbfeb

authored

Add CSP headers (#63)

* Added CSP, made GA work with CSP

1 parent1ac0031 commitf6cbfebCopy full SHA for f6cbfeb

File tree

7 files changed

+217

-12

lines changed

stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers
- ContentSecurityPolicyHandler.java
stubbornjava-webapp
- src/main/java/com/stubbornjava/webapp
  - StubbornJavaWebApp.java
- ui/src/common

7 files changed

+217

-12

lines changed

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/ContentSecurityPolicyHandler.java‎`

Lines changed: 195 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,195 @@`
	`1`	`+packagecom.stubbornjava.undertow.handlers;`
	`2`	`+`
	`3`	`+importjava.util.HashMap;`
	`4`	`+importjava.util.Map;`
	`5`	`+importjava.util.stream.Collectors;`
	`6`	`+importjava.util.stream.Stream;`
	`7`	`+`
	`8`	`+importio.undertow.server.HttpHandler;`
	`9`	`+importio.undertow.server.handlers.SetHeaderHandler;`
	`10`	`+`
	`11`	`+publicclassContentSecurityPolicyHandler {`
	`12`	`+privatestaticfinalStringCSP_HEADER ="Content-Security-Policy";`
	`13`	`+`
	`14`	`+publicenumContentSecurityPolicy {`
	`15`	`+NONE("'none'"),// blocks the use of this type of resource.`
	`16`	`+SELF("'self'"),// matches the current origin (but not subdomains).`
	`17`	`+UNSAFE_INLINE("'unsafe-inline'"),// allows the use of inline JS and CSS.`
	`18`	`+UNSAFE_EVAL("'unsafe-eval'"),// allows the use of mechanisms like eval().`
	`19`	`+ ;`
	`20`	`+`
	`21`	`+privatefinalStringvalue;`
	`22`	`+ContentSecurityPolicy(Stringvalue) {`
	`23`	`+this.value =value;`
	`24`	`+ }`
	`25`	`+publicStringgetValue() {`
	`26`	`+returnvalue;`
	`27`	`+ }`
	`28`	`+ }`
	`29`	`+`
	`30`	`+// https://scotthelme.co.uk/content-security-policy-an-introduction/#whatcanweprotect`
	`31`	`+publicstaticclassBuilder {`
	`32`	`+privatefinalMap<String,String>policyMap;`
	`33`	`+`
	`34`	`+publicBuilder() {`
	`35`	`+this.policyMap =newHashMap<>();`
	`36`	`+ }`
	`37`	`+`
	`38`	`+publicBuilderdefaultSrc(ContentSecurityPolicypolicy) {`
	`39`	`+policyMap.put("default-src",policy.getValue());`
	`40`	`+returnthis;`
	`41`	`+ }`
	`42`	`+`
	`43`	`+publicBuilderdefaultSrc(String...policies) {`
	`44`	`+policyMap.put("default-src",join(policies));`
	`45`	`+returnthis;`
	`46`	`+ }`
	`47`	`+`
	`48`	`+publicBuilderscriptSrc(ContentSecurityPolicypolicy) {`
	`49`	`+policyMap.put("script-src",policy.getValue());`
	`50`	`+returnthis;`
	`51`	`+ }`
	`52`	`+`
	`53`	`+publicBuilderscriptSrc(String...policies) {`
	`54`	`+policyMap.put("script-src",join(policies));`
	`55`	`+returnthis;`
	`56`	`+ }`
	`57`	`+`
	`58`	`+publicBuilderobjectSrc(ContentSecurityPolicypolicy) {`
	`59`	`+policyMap.put("object-src",policy.getValue());`
	`60`	`+returnthis;`
	`61`	`+ }`
	`62`	`+`
	`63`	`+publicBuilderobjectSrc(String...policies) {`
	`64`	`+policyMap.put("object-src",join(policies));`
	`65`	`+returnthis;`
	`66`	`+ }`
	`67`	`+`
	`68`	`+publicBuilderstyleSrc(ContentSecurityPolicypolicy) {`
	`69`	`+policyMap.put("style-src",policy.getValue());`
	`70`	`+returnthis;`
	`71`	`+ }`
	`72`	`+`
	`73`	`+publicBuilderstyleSrc(String...policies) {`
	`74`	`+policyMap.put("style-src",join(policies));`
	`75`	`+returnthis;`
	`76`	`+ }`
	`77`	`+`
	`78`	`+publicBuilderimgSrc(ContentSecurityPolicypolicy) {`
	`79`	`+policyMap.put("img-src",policy.getValue());`
	`80`	`+returnthis;`
	`81`	`+ }`
	`82`	`+`
	`83`	`+publicBuilderimgSrc(String...policies) {`
	`84`	`+policyMap.put("img-src",join(policies));`
	`85`	`+returnthis;`
	`86`	`+ }`
	`87`	`+`
	`88`	`+publicBuildermediaSrc(ContentSecurityPolicypolicy) {`
	`89`	`+policyMap.put("media-src",policy.getValue());`
	`90`	`+returnthis;`
	`91`	`+ }`
	`92`	`+`
	`93`	`+publicBuildermediaSrc(String...policies) {`
	`94`	`+policyMap.put("media-src",join(policies));`
	`95`	`+returnthis;`
	`96`	`+ }`
	`97`	`+`
	`98`	`+publicBuilderframeSrc(ContentSecurityPolicypolicy) {`
	`99`	`+policyMap.put("frame-src",policy.getValue());`
	`100`	`+returnthis;`
	`101`	`+ }`
	`102`	`+`
	`103`	`+publicBuilderframeSrc(String...policies) {`
	`104`	`+policyMap.put("frame-src",join(policies));`
	`105`	`+returnthis;`
	`106`	`+ }`
	`107`	`+`
	`108`	`+publicBuilderfontSrc(ContentSecurityPolicypolicy) {`
	`109`	`+policyMap.put("font-src",policy.getValue());`
	`110`	`+returnthis;`
	`111`	`+ }`
	`112`	`+`
	`113`	`+publicBuilderfontSrc(String...policies) {`
	`114`	`+policyMap.put("font-src",join(policies));`
	`115`	`+returnthis;`
	`116`	`+ }`
	`117`	`+`
	`118`	`+publicBuilderconnectSrc(ContentSecurityPolicypolicy) {`
	`119`	`+policyMap.put("connect-src",policy.getValue());`
	`120`	`+returnthis;`
	`121`	`+ }`
	`122`	`+`
	`123`	`+publicBuilderconnectSrc(String...policies) {`
	`124`	`+policyMap.put("connect-src",join(policies));`
	`125`	`+returnthis;`
	`126`	`+ }`
	`127`	`+`
	`128`	`+publicBuilderformAction(ContentSecurityPolicypolicy) {`
	`129`	`+policyMap.put("form-action",policy.getValue());`
	`130`	`+returnthis;`
	`131`	`+ }`
	`132`	`+`
	`133`	`+publicBuilderformAction(String...policies) {`
	`134`	`+policyMap.put("form-action",join(policies));`
	`135`	`+returnthis;`
	`136`	`+ }`
	`137`	`+`
	`138`	`+publicBuildersandbox(ContentSecurityPolicypolicy) {`
	`139`	`+policyMap.put("sandbox",policy.getValue());`
	`140`	`+returnthis;`
	`141`	`+ }`
	`142`	`+`
	`143`	`+publicBuildersandbox(String...policies) {`
	`144`	`+policyMap.put("sandbox",join(policies));`
	`145`	`+returnthis;`
	`146`	`+ }`
	`147`	`+`
	`148`	`+publicBuilderscriptNonce(ContentSecurityPolicypolicy) {`
	`149`	`+policyMap.put("script-nonce",policy.getValue());`
	`150`	`+returnthis;`
	`151`	`+ }`
	`152`	`+`
	`153`	`+publicBuilderscriptNonce(String...policies) {`
	`154`	`+policyMap.put("script-nonce",join(policies));`
	`155`	`+returnthis;`
	`156`	`+ }`
	`157`	`+`
	`158`	`+publicBuilderpluginTypes(ContentSecurityPolicypolicy) {`
	`159`	`+policyMap.put("plugin-types",policy.getValue());`
	`160`	`+returnthis;`
	`161`	`+ }`
	`162`	`+`
	`163`	`+publicBuilderpluginTypes(String...policies) {`
	`164`	`+policyMap.put("plugin-types",join(policies));`
	`165`	`+returnthis;`
	`166`	`+ }`
	`167`	`+`
	`168`	`+publicBuilderreflectedXss(ContentSecurityPolicypolicy) {`
	`169`	`+policyMap.put("reflected-xss",policy.getValue());`
	`170`	`+returnthis;`
	`171`	`+ }`
	`172`	`+`
	`173`	`+publicBuilderreflectedXss(String...policies) {`
	`174`	`+policyMap.put("reflected-xss",join(policies));`
	`175`	`+returnthis;`
	`176`	`+ }`
	`177`	`+`
	`178`	`+publicBuilderreportUri(Stringuri) {`
	`179`	`+policyMap.put("report-uri",uri);`
	`180`	`+returnthis;`
	`181`	`+ }`
	`182`	`+`
	`183`	`+publicHttpHandlerbuild(HttpHandlerdelegate) {`
	`184`	`+Stringpolicy =policyMap.entrySet()`
	`185`	`+ .stream()`
	`186`	`+ .map(entry ->entry.getKey() +" " +entry.getValue())`
	`187`	`+ .collect(Collectors.joining("; "));`
	`188`	`+returnnewSetHeaderHandler(delegate,CSP_HEADER,policy);`
	`189`	`+ }`
	`190`	`+`
	`191`	`+privateStringjoin(String...strings) {`
	`192`	`+returnStream.of(strings).collect(Collectors.joining(" "));`
	`193`	`+ }`
	`194`	`+ }`
	`195`	`+}`

`‎stubbornjava-webapp/src/main/java/com/stubbornjava/webapp/StubbornJavaWebApp.java‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@`
`10`	`10`	`importcom.stubbornjava.common.seo.SitemapRoutes;`
`11`	`11`	`importcom.stubbornjava.common.undertow.SimpleServer;`
`12`	`12`	`importcom.stubbornjava.common.undertow.handlers.CustomHandlers;`
	`13`	`+importcom.stubbornjava.undertow.handlers.ContentSecurityPolicyHandler;`
	`14`	`+importcom.stubbornjava.undertow.handlers.ContentSecurityPolicyHandler.ContentSecurityPolicy;`
`13`	`15`	`importcom.stubbornjava.undertow.handlers.MiddlewareBuilder;`
`14`	`16`	`importcom.stubbornjava.undertow.handlers.ReferrerPolicyHandlers.ReferrerPolicy;`
`15`	`17`	`importcom.stubbornjava.webapp.guide.GuideRoutes;`
`@@ -31,9 +33,20 @@ private static HttpHandler exceptionHandler(HttpHandler next) {`
`31`	`33`	`.addExceptionHandler(Throwable.class,PageRoutes::error);`
`32`	`34`	`}`
`33`	`35`
	`36`	`+privatestaticHttpHandlercontentSecurityPolicy(HttpHandlerdelegate) {`
	`37`	`+returnnewContentSecurityPolicyHandler.Builder()`
	`38`	`+ .defaultSrc(ContentSecurityPolicy.SELF)`
	`39`	`+ .scriptSrc("'self'","https://www.google-analytics.com")`
	`40`	`+ .imgSrc("'self'","https://www.google-analytics.com")`
	`41`	`+ .connectSrc("'self'","https://www.google-analytics.com")`
	`42`	`+ .styleSrc(ContentSecurityPolicy.SELF.getValue(),ContentSecurityPolicy.UNSAFE_INLINE.getValue())`
	`43`	`+ .build(delegate);`
	`44`	`+ }`
	`45`	`+`
`34`	`46`	`privatestaticHttpHandlerwrapWithMiddleware(HttpHandlernext) {`
`35`	`47`	`returnMiddlewareBuilder.begin(PageRoutes::redirector)`
`36`	`48`	`.next(handler ->CustomHandlers.securityHeaders(handler,ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN))`
	`49`	`+ .next(StubbornJavaWebApp::contentSecurityPolicy)`
`37`	`50`	`.next(CustomHandlers::gzip)`
`38`	`51`	`.next(BlockingHandler::new)`
`39`	`52`	`.next(ex ->CustomHandlers.accessLog(ex,logger))`

`‎stubbornjava-webapp/ui/src/common/_base-layout.hbs‎`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,6 @@`
`10`	`10`	`{{>content}}`
`11`	`11`	`{{>templates/src/widgets/footer/footer}}`
`12`	`12`	`{{>templates/src/common/scripts}}`
`13`		`-{{>templates/src/common/google-analytics}}`
`14`	`13`	`{{#>extra-scripts}}{{/extra-scripts}}`
`15`	`14`	`</body>`
`16`	`15`	`</html>`

`‎stubbornjava-webapp/ui/src/common/_error-layout.hbs‎`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,5 @@`
`7`	`7`	`<bodyclass="error-bg">`
`8`	`8`	`{{>content}}`
`9`	`9`	`{{>templates/src/common/scripts}}`
`10`		`-{{>templates/src/common/google-analytics}}`
`11`	`10`	`</body>`
`12`	`11`	`</html>`

`‎stubbornjava-webapp/ui/src/common/common.js‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,7 @@`
`1`	`1`	`import$from'jquery';`
`2`	`2`
	`3`	`+import'./google-analytics.js';`
	`4`	`+`
`3`	`5`	`import'./3rdparty.js';`
`4`	`6`
`5`	`7`	`import'./common.scss';`

`‎stubbornjava-webapp/ui/src/common/google-analytics.hbs‎`

Lines changed: 0 additions & 10 deletions

This file was deleted.

`‎stubbornjava-webapp/ui/src/common/google-analytics.js‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,7 @@`
	`1`	`+(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]\|\|function(){`
	`2`	`+(i[r].q=i[r].q\|\|[]).push(arguments)},i[r].l=1*newDate();a=s.createElement(o),`
	`3`	`+m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)`
	`4`	`+})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');`
	`5`	`+`
	`6`	`+ga('create','UA-89603048-1','auto');`
	`7`	`+ga('send','pageview');`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf6cbfeb

File tree

7 files changed

7 files changed

`‎stubbornjava-undertow/src/main/java/com/stubbornjava/undertow/handlers/ContentSecurityPolicyHandler.java‎`

`‎stubbornjava-webapp/src/main/java/com/stubbornjava/webapp/StubbornJavaWebApp.java‎`

`‎stubbornjava-webapp/ui/src/common/_base-layout.hbs‎`

`‎stubbornjava-webapp/ui/src/common/_error-layout.hbs‎`

`‎stubbornjava-webapp/ui/src/common/common.js‎`

`‎stubbornjava-webapp/ui/src/common/google-analytics.hbs‎`

`‎stubbornjava-webapp/ui/src/common/google-analytics.js‎`

0 commit comments