Re: Adding Content-Security-Policy support to HttpHeaderSecurityFilter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/24/20 17:51, Mark Thomas wrote: > On 24/03/2020 21:28, Christopher Schultz wrote: >> All, >> >> While replying to James's recent message about this filter's >> anti click-jacking features[1], I was surprised to see that this >> filter does not have any support for the Content-Security-Policy >> header. >> >> Adding such support would be fairly simple: simply add a >> "contentSecurityPolicy" attribute which gets dumped-out to every >> response as a Content-Security-Policy header. >> >> Any votes for/against? > > See: https://bz.apache.org/bugzilla/show_bug.cgi?id=58837 > > No objections to your proposal. I do wonder about the more general > solution but I don't see that as a reason not to do this. My 2018 self was a little more skeptical. 2020 me thinks that it's useful to bundle this into HttpHeaderSecurityFilter. CSP is a single header, not a quite of things like the anti-clickjacking ended up being. Using url-rewrite for a single header is unnecessarily complex. Using Tomcat's rewrite for a single header might be reasonable, except that we already have a Filter essentially built for this kind of thing. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl57dfMACgkQHPApP6U8 pFgG9A/+IuZbYcvNvi63rwVWWXk9G83mPlKTXbL0mkk5IKPm3mzXjMEdGPS8h79r 2F3iaEcl8lcrjmD+RFf3isAp0vrowhdlMbzSRXUtnWWdCPG3lQK2khZ0DmglNoyc IA0mwd/B6ojVDYGEiZ8xEcqj6Tfez5xHEv1XW2E6ZF1VQRZtZbzLSeXHgOpK5Y/k 5cSEX+Pw/M+oyfU45xl0WKYHy3hq+pzfv07RMxUk9dGwXcIq5BYCIXV2cMrFj0qs smjJ0Gn5nYU3yqzid2e/fVRTUv6SFDOxnTfya2Az0vzRvLnBoLiXtM3dlouD4Afl 5RYBTZdpX9ewV+Ra7Gz4SwuUvyHA2l4TAwAIPI84Bx5Iyz1hQYtEWUqi7G2Ae/pR JeSreD/nOWdyXrWfcQZw7hdOgOJQyVm1Rqm9587hEUJZIMnR0HrGH/2o+T3ZP18n Wv63XtYjZrpLzWmr+VrUuJcsz6PcLK76oBLxJ7PyqUMK23ilIV6KHP4fCxLW56hS RFJa9jF937nuB7iP3CU2tx3A1hneqYdpXBNmBCnDcQ2glynoVnzBfJNBXLeO0C8U 7IGrHno1UrzednmDFy7XJxNHbJeYprmnM7X06Cbcy+Thiv4PYTUAKW/JD7hjJX+5 wVrNUuV8hiGUHe/0+sIRwlEftOUkMNiary/soodCLjdNvYyjuXY= =ppvG -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Adding Content-Security-Policy support to HttpHeaderSecurityFilter
On 24/03/2020 21:28, Christopher Schultz wrote: > All, > > While replying to James's recent message about this filter's anti > click-jacking features[1], I was surprised to see that this filter > does not have any support for the Content-Security-Policy header. > > Adding such support would be fairly simple: simply add a > "contentSecurityPolicy" attribute which gets dumped-out to every > response as a Content-Security-Policy header. > > Any votes for/against? See: https://bz.apache.org/bugzilla/show_bug.cgi?id=58837 No objections to your proposal. I do wonder about the more general solution but I don't see that as a reason not to do this. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Adding Content-Security-Policy support to HttpHeaderSecurityFilter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, While replying to James's recent message about this filter's anti click-jacking features[1], I was surprised to see that this filter does not have any support for the Content-Security-Policy header. Adding such support would be fairly simple: simply add a "contentSecurityPolicy" attribute which gets dumped-out to every response as a Content-Security-Policy header. Any votes for/against? - -chris [1] https://lists.apache.org/thread.html/rb9f6829febf9b56aef2888ea2b5a98ee13 b14326c42225fc04ec13e5%40%3Cusers.tomcat.apache.org%3E -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl56e2UACgkQHPApP6U8 pFgGBhAAwlMkjbBsvt2AcivfwVyknfaJDA1KMDHHGzi5dKWA4PueYIPc2c9Es66f Cp45zsewQkeTSFv0bXNgHiMpn4u9QlqcODpU4/Ae7/B9Z2arsRiXUrpcB2d29+kI bjzjLwYv2TYZpts3jP23B6GMUw20HMd9t6mlb2+YuXDGXd42c2s+AnEkgVhRk9Ul 5h2syLuPLJaNLY1JK9B+WHP3Il1gSwVodzXi5O1jCwaQrulLLHh6H48eLWS2fPn/ xdcvTSioHrPLuVBdin7UOaaSG69+gFjOVh6t0rzH0hBn9tJgg0txzijHy0ZuEqdv 9ONWCCuNu+7CaHv+tNmj4Wsr4kqBkfdr3tjNJK+3+B3nrhAftUxrgqhOfuMatXO2 9OomVEWv3Sgd5ssrBdx1LTI5+H6NCl19+SsVFtaYPEc0jXv6+okMrOugFQtrPs// iJGtU8p5ioAyB2qFyPswUp3BSanryj+Pfcivydu5KUNK4EhP+oegmcNmz4/pWIcj j3mvdCdeq+ncTM9kw8HESgxnH92EPxA8ZoexayLobpQtz5W7Oc6vvWUTv7pmms0f D4hJ9om0fFPgRtQu3YAa/VyUWOEutoiDcY81602iSsWJZQYa+YDGof4ikJIjNaXH X9i9TtA7GpvfrxrS8od4D/GIyl0xCmETwPwumDBuHh0ZdZmFgHc= =S2dc -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org