[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security … URL: https://github.com/apache/nifi/pull/3273#discussion_r252705728 ## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java ## @@ -586,7 +586,14 @@ private WebAppContext loadWar(final File warFile, final String contextPath, fina // configure the max form size (3x the default) webappContext.setMaxFormContentSize(60); -addHTTPHeaders(webappContext); +ArrayList> filters = new ArrayList<>(); Review comment: Updated This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r251531600
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##
@@ -602,6 +599,28 @@ private WebAppContext loadWar(final File warFile, final
String contextPath, fina
return webappContext;
}
+private void addHTTPHeaders(WebAppContext webappContext) {
+// Add a filter to set the X-Frame-Options header
+FilterHolder xfoFilter = new FilterHolder(new XFrameOptionsFilter());
Review comment:
I could potentially drop that and do a much simpler add to the webappContext?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r251531021
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##
@@ -602,6 +599,28 @@ private WebAppContext loadWar(final File warFile, final
String contextPath, fina
return webappContext;
}
+private void addHTTPHeaders(WebAppContext webappContext) {
+// Add a filter to set the X-Frame-Options header
+FilterHolder xfoFilter = new FilterHolder(new XFrameOptionsFilter());
Review comment:
I believe the only reason I did this was so that I could set the name for
the holder/filter, which made it easier to debug when I was having issues
adding filters correctly.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security … URL: https://github.com/apache/nifi/pull/3273#discussion_r251527821 ## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java ## @@ -583,13 +586,7 @@ private WebAppContext loadWar(final File warFile, final String contextPath, fina // configure the max form size (3x the default) webappContext.setMaxFormContentSize(60); -// add a filter to set the X-Frame-Options filter -webappContext.addFilter(new FilterHolder(FRAME_OPTIONS_FILTER), "/*", EnumSet.allOf(DispatcherType.class)); - -// add a filter to set the Content Security Policy frame-ancestors directive -FilterHolder cspFilter = new FilterHolder(new ContentSecurityPolicyFilter()); -cspFilter.setName(ContentSecurityPolicyFilter.class.getSimpleName()); -webappContext.addFilter(cspFilter, "/*", EnumSet.allOf(DispatcherType.class)); +addHTTPHeaders(webappContext); Review comment: Fixed this as well. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r251457960
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##
@@ -602,6 +599,28 @@ private WebAppContext loadWar(final File warFile, final
String contextPath, fina
return webappContext;
}
+private void addHTTPHeaders(WebAppContext webappContext) {
+// Add a filter to set the X-Frame-Options header
+FilterHolder xfoFilter = new FilterHolder(new XFrameOptionsFilter());
+xfoFilter.setName(XFrameOptionsFilter.class.getSimpleName());
+webappContext.addFilter(xfoFilter, "/*",
EnumSet.allOf(DispatcherType.class));
+
+// Add a filter to set the Content Security Policy frame-ancestors
directive
+FilterHolder cspFilter = new FilterHolder(new
ContentSecurityPolicyFilter());
Review comment:
I've updated the PR with a commit to do what I think you're suggesting. Let
me know if it's in any way correct :)
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r251139976
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/headers/ContentSecurityPolicyFilter.java
##
@@ -28,7 +28,7 @@
import javax.servlet.FilterConfig;
/**
- * A filter to apply the Content Security Policy (which supersedes the
X-Frame-Options header).
+ * A filter to apply the Content Security Policy header.
*
*/
public class ContentSecurityPolicyFilter implements Filter {
Review comment:
We can apply the `default-src 'self'` directive but it also requires adding
`'unsafe-inline'`, otherwise our many inline scripts will be blocked by
default. They're already allowed anyway, so I guess there's no problem with
this.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r250238788
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/JettyServerTest.java
##
@@ -155,29 +155,4 @@ public void
testConfigureSslContextFactoryWithPkcsTrustStore() {
verify(contextFactory).setTrustStoreType(trustStoreType);
verify(contextFactory).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
}
-
-@Test
-public void testNoDuplicateXFrameOptions() throws NoSuchFieldException,
IllegalAccessException, ServletException, IOException {
Review comment:
Removed. I think this was simply a bad test and that what it was checking
for is handled by another unit test in HTTPHeaderFiltersTest.
I also think I should probably add some integration tests to check for these
HTTP headers in actual responses from JettyServer? But I didn't know where to
get an example on how we do that. At the least, the tests in
HTTPHeaderFiltersTest checks that each individual filter adds the headers we
expect. It just doesn't check whether the filters are added correctly and used
by JettyServer.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r250238788
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/JettyServerTest.java
##
@@ -155,29 +155,4 @@ public void
testConfigureSslContextFactoryWithPkcsTrustStore() {
verify(contextFactory).setTrustStoreType(trustStoreType);
verify(contextFactory).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
}
-
-@Test
-public void testNoDuplicateXFrameOptions() throws NoSuchFieldException,
IllegalAccessException, ServletException, IOException {
Review comment:
Removed. I think this was simply a bad test and that what it was checking
for is handled by another unit test in HTTPHeaderFiltersTest.
I also think I should probably add some integration tests to check for these
HTTP headers in actual responses from JettyServer? But I didn't know where to
get an example on how we do that. At the least, the tests in
HTTPHeaderFiltersTest checks that each individual filter adds the headers we
expect.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r250238788
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/JettyServerTest.java
##
@@ -155,29 +155,4 @@ public void
testConfigureSslContextFactoryWithPkcsTrustStore() {
verify(contextFactory).setTrustStoreType(trustStoreType);
verify(contextFactory).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
}
-
-@Test
-public void testNoDuplicateXFrameOptions() throws NoSuchFieldException,
IllegalAccessException, ServletException, IOException {
Review comment:
Removed. I think this was simply a bad test and that what it was checking
for is handled by another unit test in HTTPHeaderFiltersTest.
I also think I should probably add some integration tests to check for these
HTTP headers in actual responses, but I didn't know where to get an example on
how we do that.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the
X-XSS-Protection and Strict-Transport-Security …
URL: https://github.com/apache/nifi/pull/3273#discussion_r250236583
##
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##
@@ -602,6 +599,28 @@ private WebAppContext loadWar(final File warFile, final
String contextPath, fina
return webappContext;
}
+private void addHTTPHeaders(WebAppContext webappContext) {
+// Add a filter to set the X-Frame-Options header
+FilterHolder xfoFilter = new FilterHolder(new XFrameOptionsFilter());
+xfoFilter.setName(XFrameOptionsFilter.class.getSimpleName());
+webappContext.addFilter(xfoFilter, "/*",
EnumSet.allOf(DispatcherType.class));
+
+// Add a filter to set the Content Security Policy frame-ancestors
directive
+FilterHolder cspFilter = new FilterHolder(new
ContentSecurityPolicyFilter());
+cspFilter.setName(ContentSecurityPolicyFilter.class.getSimpleName());
+webappContext.addFilter(cspFilter, "/*",
EnumSet.allOf(DispatcherType.class));
+
+// Add a filter to set the HSTS header
Review comment:
I'm not certain of the performance impact. From what I've seen when
debugging Jetty Filters, the call stack is pretty deep. I believe that for each
request, Jetty will iterate through the contexts until it finds a context
match, and then iterate through the attached filters? I'm not certain how
significant the impact of adding a few more filters will be. Do we have a
request response time filter for request/response times or did I imagine that?
We could try using that to check how much longer requests take.
I believe adding X-XSS-Protection will reduce performance when the browser
performs XSS checks?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
[GitHub] thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security …
thenatog commented on a change in pull request #3273: NIFI-5968 - Added the X-XSS-Protection and Strict-Transport-Security … URL: https://github.com/apache/nifi/pull/3273#discussion_r250225707 ## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java ## @@ -583,13 +586,7 @@ private WebAppContext loadWar(final File warFile, final String contextPath, fina // configure the max form size (3x the default) webappContext.setMaxFormContentSize(60); -// add a filter to set the X-Frame-Options filter -webappContext.addFilter(new FilterHolder(FRAME_OPTIONS_FILTER), "/*", EnumSet.allOf(DispatcherType.class)); - -// add a filter to set the Content Security Policy frame-ancestors directive -FilterHolder cspFilter = new FilterHolder(new ContentSecurityPolicyFilter()); -cspFilter.setName(ContentSecurityPolicyFilter.class.getSimpleName()); -webappContext.addFilter(cspFilter, "/*", EnumSet.allOf(DispatcherType.class)); +addHTTPHeaders(webappContext); Review comment: Ah yes, I thought about that and then forgot. I'll look more into that. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
