You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2013/08/30 15:46:52 UTC

svn commit: r1518968 - in /myfaces/tobago/trunk: src/site/apt/migration-2.0.apt tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java

Author: lofwyr
Date: Fri Aug 30 13:46:51 2013
New Revision: 1518968

URL: http://svn.apache.org/r1518968
Log:
TOBAGO-1171: Support for the Content Security Policy (CSP) 
- add a note at application startup

Modified:
    myfaces/tobago/trunk/src/site/apt/migration-2.0.apt
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java

Modified: myfaces/tobago/trunk/src/site/apt/migration-2.0.apt
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/src/site/apt/migration-2.0.apt?rev=1518968&r1=1518967&r2=1518968&view=diff
==============================================================================
--- myfaces/tobago/trunk/src/site/apt/migration-2.0.apt (original)
+++ myfaces/tobago/trunk/src/site/apt/migration-2.0.apt Fri Aug 30 13:46:51 2013
@@ -41,7 +41,20 @@ CSP
   All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
   If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
 
-  TODO: How to configure
+* Warning:
+
+  CSP requires a different handling of JavaScript and other resources.
+  If you use own JavaScript in the HTML page or including resources from other sites you may need to
+  adapt your application, (or turn this feature off).
+
+* Configuration
+
+  To add sites to the CSP headers, add <<<\<directive\>>>> tags to <<<\<content-security-policy\>>>> in
+  the <<<tobago-config.xml>>>.
+
+  To turn off CSP, add an empty <<<\<content-security-policy extension-mode="replace"\>>>> tag in the configuration.
+  This will reset the list of directive entries.
+  If there is no entry, the feature is disabled.
 
 Java-API
 

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java?rev=1518968&r1=1518967&r2=1518968&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java Fri Aug 30 13:46:51 2013
@@ -48,7 +48,16 @@ public class TobagoServletContextListene
 
     TobagoConfigBuilder.init(servletContext);
     if (LOG.isInfoEnabled()) {
-      LOG.info("TobagoConfig: " + TobagoConfig.getInstance(servletContext));
+      final TobagoConfig tobagoConfig = TobagoConfig.getInstance(servletContext);
+      LOG.info("TobagoConfig: " + tobagoConfig);
+      if (tobagoConfig.isContentSecurityPolicyActive()) {
+        LOG.info("********************************************************************************");
+        LOG.info("* Note: CSP is activated!                                                      *");
+        LOG.info("* You may need to check application specific JavaScript code.                  *");
+        LOG.info("* Otherwise the application will not run in browsers, that are supporting CSP. *");
+        LOG.info("* For more information see http://myfaces.apache.org/tobago/migration-2.0.html *");
+        LOG.info("********************************************************************************");
+      }
       LOG.info("ResourcesManager: " + ResourceManagerFactory.getResourceManager(servletContext));
     }
   }