Clarification on connection of Content-Security-Policy header with HttpSecurity DSL support #14092
Comments
sandipchitale
added
status: waiting-for-triage
marcusdacoregio
removed
the
status: waiting-for-triage
|
Hello, @sandipchitale.
Spring Security will only add its filters on the
I don't think a global filter would be considered here for the reasons I mentioned before. You can specify your own public final class HtmlContentSecurityPolicyHeaderWriter implements HeaderWriter {
private final ContentSecurityPolicyHeaderWriter delegate = new ContentSecurityPolicyHeaderWriter("default-src 'self' https://*");
@Override
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
boolean isHtml = MediaType.TEXT_HTML.equals(MimeType.valueOf(response.getContentType()));
if (isHtml) {
this.delegate.writeHeaders(request, response);
}
}
}and then: @Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.headers((headers) -> headers
.addHeaderWriter(new HtmlContentSecurityPolicyHeaderWriter())
);
return http.build();
}Or you can even implement your own global filter and add that condition to it. Does that make sense? |
marcusdacoregio
added
the
status: waiting-for-feedback
|
@marcusdacoregio Thanks for the clarification. The above makes sense. So to be more optimal in terms of sending the CSP response header only on the responses that make sense, the approach you suggest could be better:
compared to using the DSL: Unless there is some other reason I am not thinking of that currently CSP header is sent on all responses if one uses DSL. May be a note could be added to the section of the documentation related to CSP handling suggesting potentially more optimal alternative. |
spring-projects-issues
added
status: feedback-provided
I suggest that you read #6501 and the related issues to get more information about that. An even better solution for your use case is documented here. By using the @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
RequestMatcher matcher = new MediaTypeRequestMatcher(MediaType.TEXT_HTML);
DelegatingRequestMatcherHeaderWriter headerWriter =
new DelegatingRequestMatcherHeaderWriter(matcher, new ContentSecurityPolicyHeaderWriter("default-src 'self' https://*"));
http
// ...
.headers(headers -> headers
.addHeaderWriter(headerWriter)
);
return http.build();
}That way you only use classes that Spring Security provides and avoid having to write custom implementations. Since the documentation covers that, I'll close this as resolved. |
marcusdacoregio
added
status: invalid
|
Minor point. We want to write the CSP header only when response content type is text/html, not request media type. So the above based on |
According to MDN we can set the CSP protection via HTML like so.
This tag goes in the head section of the web page. Which seems to imply that this is only needed in the html page being loaded in the browser (tab, frame, iframe).
Spring security supports this like this:
which means that the
Content-Security-Policyheader is sent back on all responses irrespectivecontent-typeunder the security matcher associated withhttpSecurity. It seems wasteful to send the header on every response.Could this be implemented instead by a global filter?
I know I can do this already. But would like to ask - is there a reason I am not thinking of that this does need to be implemented in
httpSecurityDSL?Could Spring Security provide a way to do this declaratively as a global filter instead? Or could this be implemented in a way that it is integrated with html (html generating mechanisms like .jsp)?
Context
If I have multiple
httpSecurityin my application I have to configure CSP handling for each.The text was updated successfully, but these errors were encountered: