Simplify Content-Security-Policy Configuration #13241

jzheaux · 2023-05-26T23:54:23Z

With the removal of X-XSS-Protection, it would be nice to simplify adding Content-Security-Policy.

One way to do this is to turn on Content-Security-Policy-Report-Only by default. Spring Security could provide a simple reporting endpoint that publishes an ApplicationEvent when the policy is violated. Similar to DefaultLoginPageGeneratingFilter, this endpoint would likely be replaced, but would work for giving applications a head start on Content-Security-Policy.

Folks would change this behavior by setting the header themselves like so:

http.headers((headers) -> headers.contentSecurityPolicy())

The above would replace Content-Security-Policy-Report-Only: default-src 'self'; report-uri: /report-uri with Content-Security-Policy: default-src 'self'.

Provide default endpoint for reporting violations
Change default directive for report-only to report to default endpoint
Make report-only setting the default

The text was updated successfully, but these errors were encountered:

jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels May 26, 2023

jzheaux mentioned this issue May 31, 2023

Configuration Improvements #13255

Open

8 tasks

jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 7, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Simplify Content-Security-Policy Configuration #13241

Simplify Content-Security-Policy Configuration #13241

jzheaux commented May 26, 2023

Simplify Content-Security-Policy Configuration #13241

Simplify Content-Security-Policy Configuration #13241

Comments

jzheaux commented May 26, 2023