summaryrefslogtreecommitdiffstats
path: root/jdisc-security-filters
diff options
context:
space:
mode:
authorValerij Fredriksen <valerijf@yahooinc.com>2022-06-27 12:02:55 +0200
committerValerij Fredriksen <valerijf@yahooinc.com>2022-06-27 12:02:55 +0200
commitd475ef8fd2a504b4a80926b65036cb08eb709a4e (patch)
tree9673fff006b3f0676ef1b5cd17ea46f953443be1 /jdisc-security-filters
parent44515f9965c847d0c8ebdc351239804ecf6236ee (diff)
Create CSP response filter
Diffstat (limited to 'jdisc-security-filters')
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java29
-rw-r--r--jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java8
2 files changed, 37 insertions, 0 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java
new file mode 100644
index 00000000000..9ed0c745131
--- /dev/null
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java
@@ -0,0 +1,29 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.filter.security.csp;
+
+import com.yahoo.component.annotation.Inject;
+import com.yahoo.jdisc.AbstractResource;
+import com.yahoo.jdisc.http.filter.DiscFilterResponse;
+import com.yahoo.jdisc.http.filter.RequestView;
+import com.yahoo.jdisc.http.filter.SecurityResponseFilter;
+import com.yahoo.yolean.chain.Provides;
+
+/**
+ * The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to
+ * the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing
+ * the execution of plugins and scripts, and enforcing a same-origin policy.
+ *
+ * @author freva
+ */
+@Provides("CspResponseFilter")
+public class CspResponseFilter extends AbstractResource implements SecurityResponseFilter {
+
+ @Inject
+ public CspResponseFilter() { }
+
+ @Override
+ public void filter(DiscFilterResponse response, RequestView request) {
+ response.setHeader("Content-Security-Policy", "sandbox");
+ }
+
+}
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java
new file mode 100644
index 00000000000..c8784b32fcb
--- /dev/null
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java
@@ -0,0 +1,8 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+/**
+ * @author freva
+ */
+@ExportPackage
+package com.yahoo.jdisc.http.filter.security.csp;
+
+import com.yahoo.osgi.annotation.ExportPackage;