Description
I hade a Spring Boot application using version 3.3.7. I have configured my endpoint to generate some HTTP headers, using some XML. like:
<http request-matcher-ref="staticResourcesMatcher">
<headers>
<cache-control disabled="true"/>
<content-security-policy policy-directives="default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; connect-src *;"/>
<cross-origin-embedder-policy policy="require-corp"/>
<cross-origin-opener-policy policy="same-origin"/>
<cross-origin-resource-policy policy="same-origin"/>
<permissions-policy policy="geolocation=(), microphone=(), camera=()"/>
<referrer-policy policy="no-referrer"/>
</headers>
<http-basic />
<intercept-url pattern="**" access="isAuthenticated()" />
</http>
When I access a particular resource, called /img/logo.png, the headers appear as expected:
However, when I access a different resource, called /img/error.png, the headers are missing:
When I debug, I can see that in both cases the ContentSecurityPolicyHeaderWriter class is called for all the required headers. However, in the case of the missing headers, the ResponseHttpFields instance is already committed before these headers are added, which means that they are never added.
I believe the issue is that for larger files, the response is starting to be written before the ContentSecurityPolicyHeaderWriter is being called