You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2013/09/10 15:36:07 UTC
svn commit: r1521478 - in /myfaces/tobago/trunk: src/site/apt/ tobago-core/
tobago-core/src/main/java/org/apache/myfaces/tobago/config/
tobago-core/src/main/java/org/apache/myfaces/tobago/context/
tobago-core/src/main/java/org/apache/myfaces/tobago/int...
Author: lofwyr
Date: Tue Sep 10 13:36:06 2013
New Revision: 1521478
URL: http://svn.apache.org/r1521478
Log:
TOBAGO-1310: Support for the CSP header field: Content-Security-Policy-Report-Only
- add support for "report-only"
TOBAGO-1171: Support for the Content Security Policy (CSP)
- change syntax for activating/deactivating
- adapt browser support
- same HTML rendering output (without attention to CSP state)
Added:
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java
myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/
myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml
Modified:
myfaces/tobago/trunk/src/site/apt/migration-2.0.apt
myfaces/tobago/trunk/tobago-core/pom.xml
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java
myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd
myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java
myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java
myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java
myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml
myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml
myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml
myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml
myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml
myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java
myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml
Modified: myfaces/tobago/trunk/src/site/apt/migration-2.0.apt
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/src/site/apt/migration-2.0.apt?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/src/site/apt/migration-2.0.apt (original)
+++ myfaces/tobago/trunk/src/site/apt/migration-2.0.apt Tue Sep 10 13:36:06 2013
@@ -34,12 +34,12 @@ Artifacts (JAR-Files)
CSP
- Tobago supports Content Security Policy (SCP) to prevent cross-site
+ Tobago supports Content Security Policy (CSP) to prevent cross-site
scripting (XSS) and related attacks.
Specification link http://www.w3.org/TR/CSP/
In short: The HTML page doesn't contain any JavaScript or CSS information.
All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
- If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
+ If you have own renderers or own JavaScript in your application, this code also needs to support CSP, to use this feature.
* Warning:
@@ -52,9 +52,8 @@ CSP
To add sites to the CSP headers, add <<<\<directive\>>>> tags to <<<\<content-security-policy\>>>> in
the <<<tobago-config.xml>>>.
- To turn off CSP, add an empty <<<\<content-security-policy extension-mode="replace"\>>>> tag in the configuration.
- This will reset the list of directive entries.
- If there is no entry, the feature is disabled.
+ To turn off CSP, add an empty <<<\<content-security-policy mode="off"\>>>> tag in the configuration.
+ For development, you may also use mode="report-only", which sets the appropriate header.
Java-API
Modified: myfaces/tobago/trunk/tobago-core/pom.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/pom.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/pom.xml (original)
+++ myfaces/tobago/trunk/tobago-core/pom.xml Tue Sep 10 13:36:06 2013
@@ -258,12 +258,14 @@
<groupId>com.google.caliper</groupId>
<artifactId>caliper</artifactId>
</dependency-->
+<!--
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.2.2</version>
<scope>compile</scope>
</dependency>
+-->
</dependencies>
<profiles>
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java Tue Sep 10 13:36:06 2013
@@ -21,6 +21,7 @@ package org.apache.myfaces.tobago.config
import org.apache.myfaces.tobago.application.ProjectStage;
import org.apache.myfaces.tobago.context.Theme;
+import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
import javax.faces.context.FacesContext;
import javax.servlet.ServletContext;
@@ -72,8 +73,6 @@ public abstract class TobagoConfig {
public abstract boolean isPreventFrameAttacks();
- public abstract List<String> getContentSecurityPolicy();
-
- public abstract boolean isContentSecurityPolicyActive();
+ public abstract ContentSecurityPolicy getContentSecurityPolicy();
}
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java Tue Sep 10 13:36:06 2013
@@ -124,23 +124,16 @@ public class ClientProperties implements
}
/**
- * @deprecated since 1.5. Please use
- * {@link
- * org.apache.myfaces.tobago.util.VariableResolverUtils#resolveClientProperties(javax.faces.context.FacesContext)}
+ * @deprecated since 1.5. Please use
+ * {@link #getInstance(javax.faces.context.FacesContext)}
*/
@Deprecated
public static ClientProperties getInstance(UIViewRoot viewRoot) {
return getInstance(FacesContext.getCurrentInstance());
}
- /**
- * @deprecated since 1.5. Please use
- * {@link
- * org.apache.myfaces.tobago.util.VariableResolverUtils#resolveClientProperties(javax.faces.context.FacesContext)}
- */
- @Deprecated
public static ClientProperties getInstance(FacesContext facesContext) {
- return (ClientProperties) VariableResolverUtils.resolveClientProperties(facesContext);
+ return (ClientProperties) VariableResolverUtils.resolveVariable(facesContext, MANAGED_BEAN_NAME);
}
/**
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java Tue Sep 10 13:36:06 2013
@@ -20,17 +20,22 @@
package org.apache.myfaces.tobago.context;
import org.apache.myfaces.tobago.internal.util.Deprecation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
+import java.util.StringTokenizer;
public class UserAgent implements Serializable {
private static final long serialVersionUID = 2L;
+ private static final Logger LOG = LoggerFactory.getLogger(UserAgent.class);
+
public static final String DEFAULT_NAME = "standard";
public static final UserAgent DEFAULT = new UserAgent(null, null);
@@ -49,12 +54,14 @@ public class UserAgent implements Serial
@Deprecated
public static final UserAgent MSIE_5_5 = new UserAgent("msie", "5_5");
- public static final UserAgent MSIE_6_0 = new UserAgent("msie", "6_0");
+ public static final UserAgent MSIE_6_0
+ = new UserAgent("msie", "6_0", null, CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
- public static final UserAgent MSIE_7_0 = new UserAgent("msie", "7_0");
+ public static final UserAgent MSIE_7_0
+ = new UserAgent("msie", "7_0", null, CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
- public static final UserAgent MSIE_7_0_COMPAT
- = new UserAgent("msie", "7_0", EnumSet.of(Capability.IE_COMPATIBILITY_MODE));
+ public static final UserAgent MSIE_7_0_COMPAT = new UserAgent(
+ "msie", "7_0", EnumSet.of(Capability.IE_COMPATIBILITY_MODE), CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
/**
* @deprecated no longer supported, since Tobago 1.5. Misspelled. Use {@link #MSIE_7_0}
@@ -62,12 +69,15 @@ public class UserAgent implements Serial
@Deprecated
public static final UserAgent MSIE_7_O = MSIE_7_0;
- public static final UserAgent MSIE_8_0 = new UserAgent("msie", "8_0");
+ public static final UserAgent MSIE_8_0 = new UserAgent(
+ "msie", "8_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
- public static final UserAgent MSIE_9_0 = new UserAgent("msie", "9_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML));
+ public static final UserAgent MSIE_9_0 = new UserAgent(
+ "msie", "9_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
- public static final UserAgent MSIE_10_0
- = new UserAgent("msie", "10_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+ // CSP is not fully supported, only sandboxing
+ public static final UserAgent MSIE_10_0 = new UserAgent(
+ "msie", "10_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.X, CsproHeader.X);
/**
* @deprecated no longer supported, since Tobago 1.5
@@ -137,61 +147,71 @@ public class UserAgent implements Serial
/**
* e. g. Firefox
*/
- public static final UserAgent GECKO
- = new UserAgent("gecko", null, EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+ public static final UserAgent GECKO = new UserAgent("gecko", null, EnumSet.of(Capability.CONTENT_TYPE_XHTML));
/**
* e. g. Firefox 2.0
*/
- public static final UserAgent GECKO_1_8 = new UserAgent("gecko", "1_8", EnumSet.of(Capability.CONTENT_TYPE_XHTML));
+ public static final UserAgent GECKO_1_8 = new UserAgent("gecko", "1_8", EnumSet.of(Capability.CONTENT_TYPE_XHTML),
+ CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
/**
* e. g. Firefox 3.0, 3.5, 3.6
*/
- public static final UserAgent GECKO_1_9 = new UserAgent("gecko", "1_9", EnumSet.of(Capability.CONTENT_TYPE_XHTML));
+ public static final UserAgent GECKO_1_9 = new UserAgent("gecko", "1_9", EnumSet.of(Capability.CONTENT_TYPE_XHTML),
+ CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
/**
- * e. g. Firefox 4.0
+ * e. g. Firefox 4 to 22
*/
public static final UserAgent GECKO_2_0
- = new UserAgent("gecko", "2_0",
- EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+ = new UserAgent("gecko", null,
+ EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.X, CsproHeader.X);
/**
- * e. g. Firefox 5.0
+ * e. g. Firefox 23 or higher
*/
- public static final UserAgent GECKO_5_0
- = new UserAgent("gecko", "5_0",
- EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+ public static final UserAgent GECKO_23_0
+ = new UserAgent("gecko", null,
+ EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.STANDARD, CsproHeader.STANDARD);
/**
* e. g. Safari 4, Safari 5, Chrome
*/
public static final UserAgent WEBKIT
= new UserAgent("webkit", null,
- EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_WEBKIT);
+ EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.WEBKIT, CsproHeader.WEBKIT);
private final String name;
+ /**
+ * @deprecated Version shouldn't be used in the future. Use capability instead, even better
+ * use same code on the server when possible and use capability via JavaScript.
+ */
+ @Deprecated
private final String version;
private final EnumSet<Capability> capabilities;
private final CspHeader cspHeader;
+ private final CsproHeader csproHeader;
+
private UserAgent(String name, String version) {
this(name, version, EnumSet.of(Capability.CONTENT_TYPE_XHTML));
}
private UserAgent(String name, String version, EnumSet<Capability> capabilities) {
- this(name, version, capabilities, CspHeader.CSP_NOT_SUPPORTED);
+ this(name, version, capabilities, CspHeader.STANDARD, CsproHeader.STANDARD);
}
- private UserAgent(String name, String version, EnumSet<Capability> capabilities, CspHeader cspHeader) {
+ private UserAgent(
+ String name, String version, EnumSet<Capability> capabilities, CspHeader cspHeader, CsproHeader csproHeader) {
this.name = name;
this.version = version;
this.capabilities = capabilities;
this.cspHeader = cspHeader;
+ this.csproHeader = csproHeader;
}
public boolean hasCapability(Capability capability) {
@@ -234,10 +254,17 @@ public class UserAgent implements Serial
}
/**
- * @return The HTTP header name for Content-Security-Policy.
+ * @return The HTTP header names for Content-Security-Policy.
+ */
+ public String[] getCspHeaders() {
+ return cspHeader.getNames();
+ }
+
+ /**
+ * @return The HTTP header name for Content-Security-Policy-Report-Only.
*/
- public String getCspHeader() {
- return cspHeader.getName();
+ public String[] getCspReportOnlyHeaders() {
+ return csproHeader.getNames();
}
public static UserAgent getInstance(String header) {
@@ -270,11 +297,22 @@ public class UserAgent implements Serial
return GECKO_1_8;
} else if (header.contains("rv:1.9")) {
return GECKO_1_9;
- } else if (header.contains("rv:2.0")) {
- return GECKO_2_0;
- } else if (header.contains("rv:5.0")) {
- return GECKO_5_0;
} else {
+ final int index = header.indexOf("rv:");
+ final StringTokenizer tokenizer = new StringTokenizer(header.substring(index + 3), " .");
+ final String versionString = tokenizer.nextToken();
+ try {
+ int version = Integer.parseInt(versionString);
+ if (version >= 23) {
+ return GECKO_23_0;
+ } else if (version >= 2) {
+ return GECKO_2_0;
+ }
+ } catch (NumberFormatException e) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(header, e);
+ }
+ }
return GECKO;
}
} else if (header.contains("Presto")) {
@@ -305,19 +343,37 @@ public class UserAgent implements Serial
private static enum CspHeader {
- CSP_NOT_SUPPORTED(null),
- CSP_GECKO("X-Content-Security-Policy"),
- CSP_WEBKIT("X-WebKit-CSP"),
- CSP_STANDARD("Content-Security-Policy");
+ NOT_SUPPORTED(new String[] {}),
+ X(new String[] {"Content-Security-Policy", "X-Content-Security-Policy"}),
+ WEBKIT(new String[] {"Content-Security-Policy", "X-WebKit-CSP"}),
+ STANDARD(new String[] {"Content-Security-Policy"});
+
+ private String[] names;
+
+ private CspHeader(String[] names) {
+ this.names = names;
+ }
+
+ public String[] getNames() {
+ return names;
+ }
+ }
+
+ private static enum CsproHeader {
+
+ NOT_SUPPORTED(new String[] {}),
+ X(new String[] {"Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only"}),
+ WEBKIT(new String[] {"Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only"}),
+ STANDARD(new String[] {"Content-Security-Policy-Report-Only"});
- private String name;
+ private String[] names;
- private CspHeader(String name) {
- this.name = name;
+ private CsproHeader(String[] names) {
+ this.names = names;
}
- public String getName() {
- return name;
+ public String[] getNames() {
+ return names;
}
}
}
Added: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java?rev=1521478&view=auto
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java (added)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java Tue Sep 10 13:36:06 2013
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.myfaces.tobago.internal.config;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class ContentSecurityPolicy {
+
+ private Mode mode;
+ private List<String> directiveList;
+
+ public ContentSecurityPolicy(String mode) {
+ this.mode = Mode.parse(mode);
+ this.directiveList = new ArrayList<String>();
+ }
+
+ public void merge(ContentSecurityPolicy other) {
+ directiveList.addAll(other.directiveList);
+ mode = other.mode;
+ }
+
+ public List<String> getDirectiveList() {
+ return directiveList;
+ }
+
+ public Mode getMode() {
+ return mode;
+ }
+
+ public static enum Mode {
+ ON("on"),
+ OFF("off"),
+ REPORT_ONLY("report-only");
+
+ private final String value;
+
+ private Mode(String value) {
+ this.value = value;
+ }
+
+ public String getValue() {
+ return value;
+ }
+
+ public static Mode parse(String string) {
+ if (ON.value.equals(string)) {
+ return ON;
+ } else if (OFF.value.equals(string)) {
+ return OFF;
+ } else if (REPORT_ONLY.value.equals(string)) {
+ return REPORT_ONLY;
+ } else {
+ throw new IllegalArgumentException("Found: " + string);
+ }
+ }
+ }
+
+}
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java Tue Sep 10 13:36:06 2013
@@ -43,8 +43,7 @@ public class TobagoConfigFragment {
private Boolean createSessionSecret;
private Boolean checkSessionSecret;
private Boolean preventFrameAttacks;
- private List<String> contentSecurityPolicy;
- private boolean contentSecurityPolicyExtensionModeReplace;
+ private ContentSecurityPolicy contentSecurityPolicy;
private List<ThemeImpl> themeDefinitions;
private URL url;
@@ -54,7 +53,6 @@ public class TobagoConfigFragment {
supportedThemeNames = new ArrayList<String>();
resourceDirs = new ArrayList<String>();
themeDefinitions = new ArrayList<ThemeImpl>();
- contentSecurityPolicy = new ArrayList<String>();
}
public void addSupportedThemeName(String name) {
@@ -156,20 +154,12 @@ public class TobagoConfigFragment {
this.preventFrameAttacks = preventFrameAttacks;
}
- public List<String> getContentSecurityPolicy() {
+ public ContentSecurityPolicy getContentSecurityPolicy() {
return contentSecurityPolicy;
}
- public void addContentSecurityPolicy(String directive) {
- contentSecurityPolicy.add(directive);
- }
-
- public boolean isContentSecurityPolicyExtensionModeReplace() {
- return contentSecurityPolicyExtensionModeReplace;
- }
-
- public void setContentSecurityPolicyExtensionModeReplace(boolean contentSecurityPolicyExtensionModeReplace) {
- this.contentSecurityPolicyExtensionModeReplace = contentSecurityPolicyExtensionModeReplace;
+ public void setContentSecurityPolicy(ContentSecurityPolicy contentSecurityPolicy) {
+ this.contentSecurityPolicy = contentSecurityPolicy;
}
/** @deprecated since 1.5.0 */
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java Tue Sep 10 13:36:06 2013
@@ -59,7 +59,7 @@ public class TobagoConfigImpl extends To
private boolean createSessionSecret;
private boolean checkSessionSecret;
private boolean preventFrameAttacks;
- private List<String> contentSecurityPolicy;
+ private ContentSecurityPolicy contentSecurityPolicy;
private URL url;
private Map<String, String> defaultValidatorInfo;
@@ -70,7 +70,7 @@ public class TobagoConfigImpl extends To
createSessionSecret = true;
checkSessionSecret = true;
preventFrameAttacks = true;
- contentSecurityPolicy = new ArrayList<String>();
+ contentSecurityPolicy = new ContentSecurityPolicy(ContentSecurityPolicy.Mode.OFF.getValue());
}
public void addSupportedThemeName(String name) {
@@ -282,18 +282,10 @@ public class TobagoConfigImpl extends To
this.preventFrameAttacks = preventFrameAttacks;
}
- public List<String> getContentSecurityPolicy() {
+ public ContentSecurityPolicy getContentSecurityPolicy() {
return contentSecurityPolicy;
}
- public void addContentSecurityPolicy(String directive) {
- contentSecurityPolicy.add(directive);
- }
-
- public boolean isContentSecurityPolicyActive() {
- return contentSecurityPolicy.size() > 0;
- }
-
public Map<String, String> getDefaultValidatorInfo() {
// TODO: if the startup hasn't found a FacesContext and Application, this may depend on the order of the listeners.
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java Tue Sep 10 13:36:06 2013
@@ -152,8 +152,8 @@ public class TobagoConfigParser extends
break;
case CONTENT_SECURITY_POLICY:
- final String extensionMode = attributes.getValue("extension-mode");
- tobagoConfig.setContentSecurityPolicyExtensionModeReplace("replace".equals(extensionMode));
+ final String mode = attributes.getValue("mode");
+ tobagoConfig.setContentSecurityPolicy(new ContentSecurityPolicy(mode));
break;
case RENDERERS:
@@ -296,7 +296,7 @@ public class TobagoConfigParser extends
break;
case DIRECTIVE:
- tobagoConfig.addContentSecurityPolicy(text);
+ tobagoConfig.getContentSecurityPolicy().getDirectiveList().add(text);
break;
case MARKUP:
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java Tue Sep 10 13:36:06 2013
@@ -103,12 +103,8 @@ public class TobagoConfigSorter implemen
result.setPreventFrameAttacks(fragment.getPreventFrameAttacks());
}
- if (fragment.isContentSecurityPolicyExtensionModeReplace()) {
- result.getContentSecurityPolicy().clear();
- } else {
- for (String directive : fragment.getContentSecurityPolicy()) {
- result.addContentSecurityPolicy(directive);
- }
+ if (fragment.getContentSecurityPolicy() != null) {
+ result.getContentSecurityPolicy().merge(fragment.getContentSecurityPolicy());
}
// theme definition
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java Tue Sep 10 13:36:06 2013
@@ -21,13 +21,13 @@ package org.apache.myfaces.tobago.intern
import org.apache.myfaces.tobago.context.ClientProperties;
import org.apache.myfaces.tobago.context.UserAgent;
+import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import javax.servlet.http.HttpServletResponse;
-import java.util.List;
public class ResponseUtils {
@@ -76,19 +76,34 @@ public class ResponseUtils {
}
}
- public static void ensureContentSecurityPolicyHeader(FacesContext facesContext, List<String> contentSecurityPolicy) {
+ public static void ensureContentSecurityPolicyHeader(
+ FacesContext facesContext, ContentSecurityPolicy contentSecurityPolicy) {
// TODO PortletRequest
if (facesContext.getExternalContext().getResponse() instanceof HttpServletResponse) {
final UserAgent userAgent = ClientProperties.getInstance(facesContext).getUserAgent();
- final String cspHeader = userAgent.getCspHeader();
- if (cspHeader != null) {
- final StringBuilder value = new StringBuilder();
- for (String directive : contentSecurityPolicy) {
- value.append(directive);
- value.append(";");
- }
+ final String[] cspHeaders;
+ switch (contentSecurityPolicy.getMode()) {
+ case OFF:
+ cspHeaders = new String[0];
+ break;
+ case ON:
+ cspHeaders = userAgent.getCspHeaders();
+ break;
+ case REPORT_ONLY:
+ cspHeaders = userAgent.getCspReportOnlyHeaders();
+ break;
+ default:
+ throw new IllegalArgumentException("Undefined mode: " + contentSecurityPolicy.getMode());
+ }
+ final StringBuilder builder = new StringBuilder();
+ for (String directive : contentSecurityPolicy.getDirectiveList()) {
+ builder.append(directive);
+ builder.append(";");
+ }
+ String value = builder.toString();
+ for (String cspHeader : cspHeaders) {
final HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();
- response.setHeader(cspHeader, value.toString());
+ response.setHeader(cspHeader, value);
}
}
}
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java Tue Sep 10 13:36:06 2013
@@ -19,7 +19,6 @@
package org.apache.myfaces.tobago.webapp;
-import org.apache.myfaces.tobago.config.TobagoConfig;
import org.apache.myfaces.tobago.renderkit.css.Classes;
import org.apache.myfaces.tobago.renderkit.css.Style;
import org.apache.myfaces.tobago.renderkit.html.DataAttributes;
@@ -27,7 +26,6 @@ import org.apache.myfaces.tobago.renderk
import org.apache.myfaces.tobago.renderkit.html.HtmlElements;
import javax.faces.component.UIComponent;
-import javax.faces.context.FacesContext;
import javax.faces.context.ResponseWriter;
import java.io.IOException;
import java.io.Writer;
@@ -150,54 +148,15 @@ public abstract class TobagoResponseWrit
@Deprecated
public abstract void writeClassAttribute() throws IOException;
-/*
- private long self = 0;
- private long gson = 0;
-
- private synchronized void time(long s, long g) {
- self += s;
- gson += g;
- }
-
- private static final Logger LOG = LoggerFactory.getLogger(TobagoResponseWriter.class);
-
- public static final Gson GSON = new Gson();
-
-*/
/**
* Write the style attribute. The value will not escaped.
*/
public void writeStyleAttribute(Style style) throws IOException {
if (style != null) {
- if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isContentSecurityPolicyActive()) {
-
-// final long a = System.nanoTime();
-
- final String json = style.encodeJson();
-
-/*
- final long b = System.nanoTime();
-
- final String json2 = GSON.toJson(style);
-
- final long c = System.nanoTime();
-
- time(b-a, c-b);
-
- LOG.error("self: " + json);
- LOG.error("gson: " + json2);
- LOG.error("self: " + self + " gson: " + gson);
-
-*/
- if (json.length() > 2) { // empty "{}" needs not to be written
- writeAttribute(DataAttributes.STYLE, json, true);
- }
- } else {
-
- final String value = style.encode();
- if (value.length() > 0) {
- writeAttribute(HtmlAttributes.STYLE, value, style.needsToBeEscaped());
- }
+ final String json = style.encodeJson();
+ if (json.length() > 2) { // empty "{}" needs not to be written
+ writeAttribute(DataAttributes.STYLE, json, true);
+ // todo: check not escaping, when it's not needed, use: style.needsToBeEscaped()
}
}
}
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java Tue Sep 10 13:36:06 2013
@@ -20,6 +20,7 @@
package org.apache.myfaces.tobago.webapp;
import org.apache.myfaces.tobago.config.TobagoConfig;
+import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
import org.apache.myfaces.tobago.internal.config.TobagoConfigBuilder;
import org.apache.myfaces.tobago.internal.context.ResourceManagerFactory;
import org.slf4j.Logger;
@@ -50,14 +51,19 @@ public class TobagoServletContextListene
if (LOG.isInfoEnabled()) {
final TobagoConfig tobagoConfig = TobagoConfig.getInstance(servletContext);
LOG.info("TobagoConfig: " + tobagoConfig);
- if (tobagoConfig.isContentSecurityPolicyActive()) {
- LOG.info("********************************************************************************");
- LOG.info("* Note: CSP is activated! *");
- LOG.info("* You may need to check application specific JavaScript code. *");
- LOG.info("* Otherwise the application will not run in browsers, that are supporting CSP. *");
- LOG.info("* For more information see http://myfaces.apache.org/tobago/migration-2.0.html *");
- LOG.info("********************************************************************************");
+ final ContentSecurityPolicy.Mode mode = tobagoConfig.getContentSecurityPolicy().getMode();
+ StringBuilder builder = new StringBuilder();
+ builder.append("\n*************************************************************************************");
+ builder.append("\nNote: CSP is ");
+ builder.append(mode);
+ if (mode == ContentSecurityPolicy.Mode.ON) {
+ builder.append("\nYou may need to check application specific JavaScript code.");
+ builder.append("\nOtherwise the application will not run in modern browsers, that are supporting CSP.");
+ builder.append("\nFor more information see http://myfaces.apache.org/tobago/migration-2.0.html");
}
+ builder.append("\n*************************************************************************************");
+ final String note = builder.toString();
+ LOG.info(note);
LOG.info("ResourcesManager: " + ResourceManagerFactory.getResourceManager(servletContext));
}
}
Modified: myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd Tue Sep 10 13:36:06 2013
@@ -105,15 +105,14 @@
<xs:sequence>
<xs:element name="directive" type="xs:string" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
- <xs:attribute name="extension-mode"
- type="tobago:extension-mode-type"
- default="add"/>
+ <xs:attribute name="mode" type="tobago:scp-mode-type" use="required"/>
</xs:complexType>
- <xs:simpleType name="extension-mode-type">
+ <xs:simpleType name="scp-mode-type">
<xs:restriction base="xs:token">
- <xs:enumeration value="add"/>
- <xs:enumeration value="replace"/>
+ <xs:enumeration value="on"/>
+ <xs:enumeration value="off"/>
+ <xs:enumeration value="report-only"/>
</xs:restriction>
</xs:simpleType>
Modified: myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java Tue Sep 10 13:36:06 2013
@@ -99,8 +99,12 @@ public class UserAgentUnitTest {
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3pre) Gecko/20100328 Ubuntu/9.10 (karmic) "
+ "Namoroka/3.6.3pre"},
+ {"Firefox 23.0 - Mac OS X Mountain Lion",
+ UserAgent.GECKO_23_0,
+ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0"},
+
{"Firefox 5.0 - Mac OS X Snow Leopard",
- UserAgent.GECKO_5_0,
+ UserAgent.GECKO_2_0,
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20100101 Firefox/5.0"},
{"Firefox 4.0 beta 2 - Mac OS X Snow Leopard",
Modified: myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java Tue Sep 10 13:36:06 2013
@@ -68,9 +68,9 @@ public class TobagoConfigMergingUnitTest
final TobagoConfigImpl config = loadAndMerge(
"tobago-config-merge-0.xml");
- Assert.assertTrue(config.isContentSecurityPolicyActive());
- Assert.assertEquals(1, config.getContentSecurityPolicy().size());
- Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().get(0));
+ Assert.assertTrue(config.getContentSecurityPolicy().getMode() == ContentSecurityPolicy.Mode.ON);
+ Assert.assertEquals(1, config.getContentSecurityPolicy().getDirectiveList().size());
+ Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().getDirectiveList().get(0));
}
@Test
@@ -81,10 +81,10 @@ public class TobagoConfigMergingUnitTest
"tobago-config-merge-0.xml",
"tobago-config-merge-1.xml");
- Assert.assertTrue(config.isContentSecurityPolicyActive());
- Assert.assertEquals(2, config.getContentSecurityPolicy().size());
- Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().get(0));
- Assert.assertEquals("image-src http://apache.org", config.getContentSecurityPolicy().get(1));
+ Assert.assertTrue(config.getContentSecurityPolicy().getMode() == ContentSecurityPolicy.Mode.REPORT_ONLY);
+ Assert.assertEquals(2, config.getContentSecurityPolicy().getDirectiveList().size());
+ Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().getDirectiveList().get(0));
+ Assert.assertEquals("image-src http://apache.org", config.getContentSecurityPolicy().getDirectiveList().get(1));
}
@Test
@@ -96,8 +96,8 @@ public class TobagoConfigMergingUnitTest
"tobago-config-merge-1.xml",
"tobago-config-merge-2.xml");
- Assert.assertFalse(config.isContentSecurityPolicyActive());
- Assert.assertEquals(0, config.getContentSecurityPolicy().size());
+ Assert.assertTrue(config.getContentSecurityPolicy().getMode() == ContentSecurityPolicy.Mode.OFF);
+ Assert.assertEquals(2, config.getContentSecurityPolicy().getDirectiveList().size());
}
private TobagoConfigImpl loadAndMerge(String... names)
Modified: myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java Tue Sep 10 13:36:06 2013
@@ -70,11 +70,9 @@ public class TobagoConfigParserUnitTest
Assert.assertEquals(false, fragment.getCheckSessionSecret().booleanValue());
Assert.assertEquals(false, fragment.getPreventFrameAttacks().booleanValue());
- Assert.assertEquals(2, fragment.getContentSecurityPolicy().size());
- Assert.assertEquals("default-src 'self'", fragment.getContentSecurityPolicy().get(0));
- Assert.assertEquals("frame-src http://apache.org", fragment.getContentSecurityPolicy().get(1));
- // todo: disabled
- // todo: replace
+ Assert.assertEquals(2, fragment.getContentSecurityPolicy().getDirectiveList().size());
+ Assert.assertEquals("default-src 'self'", fragment.getContentSecurityPolicy().getDirectiveList().get(0));
+ Assert.assertEquals("frame-src http://apache.org", fragment.getContentSecurityPolicy().getDirectiveList().get(1));
Assert.assertEquals(2, fragment.getRenderersConfig().getRendererConfigs().size());
Assert.assertTrue(fragment.getRenderersConfig().isMarkupSupported("myRenderer-1", "my-markup-1"));
Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml Tue Sep 10 13:36:06 2013
@@ -48,7 +48,7 @@
<check-session-secret>false</check-session-secret>
<prevent-frame-attacks>false</prevent-frame-attacks>
- <content-security-policy extension-mode="replace">
+ <content-security-policy mode="on">
<directive>default-src 'self'</directive>
<directive>frame-src http://apache.org</directive>
</content-security-policy>
Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml Tue Sep 10 13:36:06 2013
@@ -27,7 +27,7 @@
<prevent-frame-attacks>false</prevent-frame-attacks>
- <content-security-policy>
+ <content-security-policy mode="on">
<directive>default-src 'self'</directive>
</content-security-policy>
Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml Tue Sep 10 13:36:06 2013
@@ -31,7 +31,7 @@
</after>
</ordering>
- <content-security-policy>
+ <content-security-policy mode="report-only">
<directive>image-src http://apache.org</directive>
</content-security-policy>
Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml Tue Sep 10 13:36:06 2013
@@ -31,7 +31,6 @@
</after>
</ordering>
- <content-security-policy extension-mode="replace">
- </content-security-policy>
+ <content-security-policy mode="off"/>
</tobago-config>
Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml Tue Sep 10 13:36:06 2013
@@ -85,8 +85,7 @@
false
</prevent-frame-attacks>
- <content-security-policy
- extension-mode="replace">
+ <content-security-policy mode="on">
<directive>
default-src 'self'
</directive>
Modified: myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml Tue Sep 10 13:36:06 2013
@@ -40,7 +40,7 @@
<resource-dir>tobago-resource</resource-dir>
- <content-security-policy>
+ <content-security-policy mode="on">
<directive>frame-src https://maps.google.com</directive>
</content-security-policy>
Added: myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml?rev=1521478&view=auto
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml (added)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml Tue Sep 10 13:36:06 2013
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+-->
+
+<ui:composition template="/WEB-INF/tags/layout/overview.xhtml"
+ xmlns:tc="http://myfaces.apache.org/tobago/component"
+ xmlns:ui="http://java.sun.com/jsf/facelets"
+ xmlns:f="http://java.sun.com/jsf/core">
+ <ui:param name="title" value="Content Security Policy"/>
+
+ <tc:panel>
+ <f:facet name="layout">
+ <tc:gridLayout rows="100px;*;*" columns="*;*"/>
+ </f:facet>
+
+ <tc:out escape="false" value=" Tobago supports Content Security Policy (CSP) to prevent cross-site
+ scripting (XSS) and related attacks.
+ Specification link http://www.w3.org/TR/CSP/
+ In short: The HTML page doesn't contain any JavaScript or CSS information.
+ All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
+ If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
+ ">
+ <tc:gridLayoutConstraint columnSpan="2"/>
+ </tc:out>
+
+ <tc:box label="This box may be manipulated by JavaScript">
+ <tc:panel id="panel">
+ <tc:out value="When you can read this text, it hasn't been manipulated by JavaScript.
+ That means the CSP is working correctly."/>
+ </tc:panel>
+ <tc:script onload="cspDemo();">
+ // <![CDATA[
+ function cspDemo() {
+ jQuery(Tobago.Utils.escapeClientId("page:panel")).html(
+ "<span style='color: #ff0000; font-weight: bold;'>Attention: When you can read this text, the content was manipulated by JavaScript."
+ + " It seems, your browser doesn't support CSP!</span>");
+ }
+ // ]]>
+ </tc:script>
+ </tc:box>
+
+ </tc:panel>
+</ui:composition>
Modified: myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml Tue Sep 10 13:36:06 2013
@@ -33,7 +33,7 @@
<prevent-frame-attacks>false</prevent-frame-attacks>
<!-- this disables CSP -->
- <content-security-policy extension-mode="replace"/>
+ <content-security-policy mode="report-only"/>
<renderers>
<renderer>
Modified: myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java Tue Sep 10 13:36:06 2013
@@ -85,6 +85,7 @@ public class TestTheAutomaticSeleniumTes
} catch (AssertionError e) { // from IDE
Assert.assertTrue(e.getMessage().contains("404 - page not found"));
} catch (SeleniumException e) { // from mvn -Pintegration-test
+ LOG.info("Exception: '" + e.getMessage() + "'");
Assert.assertTrue(e.getMessage().contains("Response_Code = 404"));
}
}
Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java Tue Sep 10 13:36:06 2013
@@ -142,9 +142,7 @@ public class PageRenderer extends PageRe
ResponseUtils.ensureNoCacheHeader(facesContext);
- if (tobagoConfig.isContentSecurityPolicyActive()) {
- ResponseUtils.ensureContentSecurityPolicyHeader(facesContext, tobagoConfig.getContentSecurityPolicy());
- }
+ ResponseUtils.ensureContentSecurityPolicyHeader(facesContext, tobagoConfig.getContentSecurityPolicy());
if (LOG.isDebugEnabled()) {
for (Object o : page.getAttributes().entrySet()) {
Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml Tue Sep 10 13:36:06 2013
@@ -27,7 +27,7 @@
<resource-dir>org/apache/myfaces/tobago/renderkit</resource-dir>
- <content-security-policy>
+ <content-security-policy mode="on">
<directive>default-src 'self'</directive>
</content-security-policy>