You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by so...@apache.org on 2017/11/08 09:41:54 UTC

openmeetings git commit: [OPENMEETINGS-1747] Content-Security-Policy for Edge should be fixed

Repository: openmeetings
Updated Branches:
  refs/heads/4.0.x d41832b13 -> 1ec81a934


[OPENMEETINGS-1747] Content-Security-Policy for Edge should be fixed


Project: http://git-wip-us.apache.org/repos/asf/openmeetings/repo
Commit: http://git-wip-us.apache.org/repos/asf/openmeetings/commit/1ec81a93
Tree: http://git-wip-us.apache.org/repos/asf/openmeetings/tree/1ec81a93
Diff: http://git-wip-us.apache.org/repos/asf/openmeetings/diff/1ec81a93

Branch: refs/heads/4.0.x
Commit: 1ec81a934b5d99a79d815e8f9ac9314227e75a1d
Parents: d41832b
Author: Maxim Solodovnik <so...@gmail.com>
Authored: Wed Nov 8 16:41:44 2017 +0700
Committer: Maxim Solodovnik <so...@gmail.com>
Committed: Wed Nov 8 16:41:44 2017 +0700

----------------------------------------------------------------------
 .../openmeetings/web/app/Application.java       | 25 +++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/openmeetings/blob/1ec81a93/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
----------------------------------------------------------------------
diff --git a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
index bd36f4f..25d6828 100644
--- a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
+++ b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
@@ -253,12 +253,8 @@ public class Application extends AuthenticatedWebApplication implements IApplica
 					wresp.setHeader("X-Content-Type-Options", "nosniff");
 					wresp.setHeader("X-Frame-Options", xFrameOptions);
 					Url reqUrl = cycle.getRequest().getUrl();
-					wresp.setHeader("Content-Security-Policy", String.format("%s; connect-src 'self' %s://%s:%s;"
-							, contentSecurityPolicy
-							, "http".equalsIgnoreCase(reqUrl.getProtocol()) ? "ws" : "wss"
-							, reqUrl.getHost()
-							, reqUrl.getPort()
-						));
+					wresp.setHeader("Content-Security-Policy"
+							, String.format("%s; connect-src 'self' %s;", contentSecurityPolicy, getWsUrl(reqUrl)));
 				}
 			}
 		});
@@ -892,4 +888,21 @@ public class Application extends AuthenticatedWebApplication implements IApplica
 	public void publishWsTopic(IClusterWsMessage msg) {
 		hazelWsTopic.publish(msg);
 	}
+
+	private String getWsUrl(Url reqUrl) {
+		final boolean secure = "http".equalsIgnoreCase(reqUrl.getProtocol());
+		String delim = ":";
+		String port = reqUrl.getPort() == null || reqUrl.getPort() < 0 ? "" : String.valueOf(reqUrl.getPort());
+		if (!port.isEmpty() && ((secure && 443 == reqUrl.getPort()) || (!secure && 80 == reqUrl.getPort()))) {
+			port = "";
+		}
+		if (port.isEmpty()) {
+			delim = "";
+		}
+		return String.format("%s://%s%s%s;"
+			, secure ? "ws" : "wss"
+			, reqUrl.getHost()
+			, delim
+			, port);
+	}
 }