[
https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17015169#comment-17015169
]
Jason E Bailey commented on SLING-7760:
---------------------------------------
[~cziegeler] Here's a some of the headers that we currently have. Note that the
Content-Security-Policy is huge because we have 5 separate domains that we
serve out of our instances. So any one domain has permissions to source data
from a domain it doesn't actually interact with because another one of our
domains requires it.
X-Content-Type-Options: nosniff
X-XSS-Protection: 1;mode=block
X-Frame-Options: sameorigin
Content-Security-Policy: default-src * 'self' data: 'unsafe-inline'
blob:;script-src * 'self' blob: data: 'unsafe-inline' 'unsafe-eval'
*.trustarc.com *.doubleclick.net *.liveperson.net *.sas.com assets.adobedtm.com
ssl.google-analytics.com accdn.lpsnmedia.net www.googletagmanager.com
www.google-analytics.com bat.bing.com benchtag.co front.facetz.net
*.facebook.net *.facebook.com www.googleadservices.com tb.juiceadv.com
*.linkedin.com pixel.mathtag.com pixel.quantserve.com *.quora.com
analytics.twitter.com tagmanager.google.com mc.yandex.ru static.ads-twitter.com
snap.licdn.com *.bizographics.com dev.visualwebsiteoptimizer.com
scripts.demandbase.com consent.truste.com s.yimg.com ssl.gstatic.com
api.company-target.com script.crazyegg.com platform.twitter.com
sp.analytics.yahoo.com x.bidswitch.net s7.addthis.com ad4.adfarm1.adition.com
livestream.co *.brightcove.net track.adform.net insight.adsrvr.org
www.vintom.com b92.yahoo.co.jp cdn.appdynamics.com
execution-dscvrtraffic.cidev.sas.us *.brightcove.com *.mrpfd.com d3js.org
*.d3.org;img-src * 'self' data: *.google-analytics.com *.doubleclick.net
www.google.com *.sas.com front.facetz.net *.facebook.com
www.googleadservices.com tb.juiceadv.com ext.ligatus.com bcp.crwdcntrl.net
pixel.mathtag.com *.quora.com cdn.taboola.com analytics.twitter.com
d.company-target.com mc.yandex.ru t.co px.ads.linkedin.com *.bizographics.com
insight.adsrvr.org assets.adobedtm.com *.brightcove.com;font-src * 'self' data:
*.sas.com fast.fonts.net;connect-src * 'self' *.sas.com *.brightcove.com
ma156-r.analytics.edgekey.net api.company-target.com livestream.com
www.vintom.com *.doubleclick.net assets.adobedtm.com;frame-src 'self'
assets.adobedtm.com lpcdn.lpsnmedia.net *.liveperson.net www.youtube.com
s7.addthis.com *.twitter.com *.sas.com pixel.mathtag.com livestream.com
ad4.adfarm1.adition.com www.vintom.com *.doubleclick.net *.facebook.net
*.twitter.com *.trustarc.com *.facebook.com *.linkedin.com;frame-ancestors
*.ci360.sas.com *.gatheriq.analytics *.curriculumpathways.com
Cache-Control: max-age=3600
As you can see the Content-Security-Policy is the problem child and could do
with some sort of tool to assist in it's creation in it's own right.
> Sling Main Servlet - Change header configuration to a service
> -------------------------------------------------------------
>
> Key: SLING-7760
> URL: https://issues.apache.org/jira/browse/SLING-7760
> Project: Sling
> Issue Type: Improvement
> Reporter: Jason E Bailey
> Assignee: Jason E Bailey
> Priority: Major
>
> The ability to set headers must be done prior to any writing that occurs the
> output stream. This is the reason why the headers are set to be configured in
> the Sling Main Servlet.
> With Sling being used to maintain multiple sites, having a single set of
> response headers creates problems where the header provides a non tailored
> response. One site may have a conflicting set of requirements then another
> site.
> If the setting of headers was moved from being a configuration to being a
> service used by the Main Servlet, this would allow the following:
> * Headers set on a per site basis
> * Headers based on selected resource
> * Ability to modify the headers without causing the restart of the Sling
> Main Servlet
> ** Which if you're dealing with CSP headers can be a constant pain
> * Ability to create a CSP configuration Service that eases the use of CSP
> creation
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
