Skip to content

Spring Security HTTP headers not added for large files #34498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cartbar opened this issue Feb 26, 2025 · 1 comment
Closed

Spring Security HTTP headers not added for large files #34498

cartbar opened this issue Feb 26, 2025 · 1 comment
Labels
for: external-project Needs a fix in external project status: invalid An issue that we don't feel is valid

Comments

@cartbar
Copy link

cartbar commented Feb 26, 2025

I hade a Spring Boot application using version 3.3.7. I have configured my endpoint to generate some HTTP headers, using some XML. like:

    <http request-matcher-ref="staticResourcesMatcher">
        <headers>
            <cache-control disabled="true"/>
            <content-security-policy policy-directives="default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:; connect-src *;"/>
            <cross-origin-embedder-policy policy="require-corp"/>
            <cross-origin-opener-policy policy="same-origin"/>
            <cross-origin-resource-policy policy="same-origin"/>
            <permissions-policy policy="geolocation=(), microphone=(), camera=()"/>
            <referrer-policy policy="no-referrer"/>
        </headers>
        <http-basic />
        <intercept-url pattern="**" access="isAuthenticated()" />
    </http>

When I access a particular resource, called /img/logo.png, the headers appear as expected:

Image

However, when I access a different resource, called /img/error.png, the headers are missing:

Image

When I debug, I can see that in both cases the ContentSecurityPolicyHeaderWriter class is called for all the required headers. However, in the case of the missing headers, the ResponseHttpFields instance is already committed before these headers are added, which means that they are never added.

I believe the issue is that for larger files, the response is starting to be written before the ContentSecurityPolicyHeaderWriter is being called
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Feb 26, 2025
@bclozel
Copy link
Member

bclozel commented Feb 26, 2025

It looks like in some cases, headers cannot be written as the response is already committed.
The HeaderWriterFilter seem to write headers after the filter chain, which means that the response body might be already written to the network. I see that Spring Security added a new option to write those headers eagerly: spring-projects/spring-security#6501

I'm not sure this option is available at the XML configuration level. I think this is a question for the Spring Security project. Could you raise the problem there?

@bclozel bclozel closed this as not planned Won't fix, can't repro, duplicate, stale Feb 26, 2025
@bclozel bclozel added status: invalid An issue that we don't feel is valid for: external-project Needs a fix in external project and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: external-project Needs a fix in external project status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bclozel @spring-projects-issues @cartbar