I have added content security policy to my project:
web.xml
<filter>
<filter-name>charEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>characterEncodingFilter</param-value>
</init-param>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>charEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CSPFilter</filter-name>
<filter-class>com.analysis.security.CSPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSPFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
CSPFilter.java
class CSPFilter implements Filter {
public static final String POLICY = "default-src https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: http:";
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
if (response instanceof HttpServletResponse) {
((HttpServletResponse)response).setHeader("Content-Security-Policy", CSPFilter.POLICY);
}
}
@Override
public void init(FilterConfig filterConfig) throws ServletException { }
@Override
public void destroy() { }
}
Now in the header I see :
Content-Security-Policy: default-src https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: http:
But my web is empty(no script, no css). If I remove CSPFilter filter the appliaction works.
Any idea or suggestion? Thanks
Aucun commentaire:
Enregistrer un commentaire