You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/05/08 21:03:39 UTC
svn commit: r1678427 - in /tomcat/trunk: conf/web.xml
java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
java/org/apache/catalina/filters/LocalStrings.properties
webapps/docs/config/filter.xml
Author: markt
Date: Fri May 8 19:03:39 2015
New Revision: 1678427
URL: http://svn.apache.org/r1678427
Log:
Add support for blocking content type sniffing
Modified:
tomcat/trunk/conf/web.xml
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
tomcat/trunk/webapps/docs/config/filter.xml
Modified: tomcat/trunk/conf/web.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/conf/web.xml (original)
+++ tomcat/trunk/conf/web.xml Fri May 8 19:03:39 2015
@@ -423,6 +423,10 @@
<!-- -->
<!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be -->
<!-- allowed? [] -->
+ <!-- -->
+ <!-- blockContentTypeSniffingEnabled -->
+ <!-- Should the header that blocks content type -->
+ <!-- sniffing be added to every response? [true] -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
Modified: tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java Fri May 8 19:03:39 2015
@@ -52,6 +52,11 @@ public class HttpHeaderSecurityFilter ex
private URI antiClickJackingUri;
private String antiClickJackingHeaderValue;
+ // Block content sniffing
+ private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME = "X-Content-Type-Options";
+ private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff";
+ private boolean blockContentTypeSniffingEnabled = true;
+
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
@@ -93,6 +98,11 @@ public class HttpHeaderSecurityFilter ex
ANTI_CLICK_JACKING_HEADER_NAME, antiClickJackingHeaderValue);
}
+ // Block content type sniffing
+ if (blockContentTypeSniffingEnabled && response instanceof HttpServletResponse) {
+ ((HttpServletResponse) response).addHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
+ BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
+ }
chain.doFilter(request, response);
}
@@ -163,7 +173,6 @@ public class HttpHeaderSecurityFilter ex
}
-
public void setAntiClickJackingOption(String antiClickJackingOption) {
for (XFrameOption option : XFrameOption.values()) {
if (option.getHeaderValue().equalsIgnoreCase(antiClickJackingOption)) {
@@ -171,8 +180,8 @@ public class HttpHeaderSecurityFilter ex
return;
}
}
- // TODO i18n
- throw new IllegalArgumentException();
+ throw new IllegalArgumentException(
+ sm.getString("httpHeaderSecurityFilter.clickjack.invalid", antiClickJackingOption));
}
@@ -182,6 +191,16 @@ public class HttpHeaderSecurityFilter ex
}
+ public boolean isBlockContentTypeSniffingEnabled() {
+ return blockContentTypeSniffingEnabled;
+ }
+
+
+ public void setBlockContentTypeSniffingEnabled(
+ boolean blockContentTypeSniffingEnabled) {
+ this.blockContentTypeSniffingEnabled = blockContentTypeSniffingEnabled;
+ }
+
public void setAntiClickJackingUri(String antiClickJackingUri) {
URI uri;
Modified: tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties Fri May 8 19:03:39 2015
@@ -41,4 +41,6 @@ expiresFilter.expirationHeaderAlreadyDef
expiresFilter.skippedStatusCode=Request "{0}" with response status "{1}" content-type "{1}", skip expiration header generation for given status
httpHeaderSecurityFilter.committed=Unable to add HTTP headers since response is already committed on entry to the HTTP header security Filter
+httpHeaderSecurityFilter.clickjack.invalid=An invalid value [{0}] was specified for the anti click-jacking header
+
remoteIpFilter.invalidLocation=Failed to modify the rewrite location [{0}] to use scheme [{1}] and port [{2}]
\ No newline at end of file
Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Fri May 8 19:03:39 2015
@@ -761,6 +761,12 @@ FINE: Request "/docs/config/manager.html
empty string will be used.</p>
</attribute>
+ <attribute name="blockContentTypeSniffingEnabled" required="false">
+ <p>Should the header that blocks content type sniffing be added to every
+ response. If not specified, the default value of <code>true</code> will
+ be used.</p>
+ </attribute>
+
</attributes>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org