From d475ef8fd2a504b4a80926b65036cb08eb709a4e Mon Sep 17 00:00:00 2001
From: Valerij Fredriksen <valerijf@yahooinc.com>
Date: Mon, 27 Jun 2022 12:02:55 +0200
Subject: Create CSP response filter

---
 .../filter/security/csp/CspResponseFilter.java     | 29 ++++++++++++++++++++++
 .../http/filter/security/csp/package-info.java     |  8 ++++++
 2 files changed, 37 insertions(+)
 create mode 100644 jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java
 create mode 100644 jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java

(limited to 'jdisc-security-filters/src')

diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java
new file mode 100644
index 00000000000..9ed0c745131
--- /dev/null
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/CspResponseFilter.java
@@ -0,0 +1,29 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.jdisc.http.filter.security.csp;
+
+import com.yahoo.component.annotation.Inject;
+import com.yahoo.jdisc.AbstractResource;
+import com.yahoo.jdisc.http.filter.DiscFilterResponse;
+import com.yahoo.jdisc.http.filter.RequestView;
+import com.yahoo.jdisc.http.filter.SecurityResponseFilter;
+import com.yahoo.yolean.chain.Provides;
+
+/**
+ * The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to
+ * the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing
+ * the execution of plugins and scripts, and enforcing a same-origin policy.
+ *
+ * @author freva
+ */
+@Provides("CspResponseFilter")
+public class CspResponseFilter extends AbstractResource implements SecurityResponseFilter {
+
+    @Inject
+    public CspResponseFilter() { }
+
+    @Override
+    public void filter(DiscFilterResponse response, RequestView request) {
+        response.setHeader("Content-Security-Policy", "sandbox");
+    }
+
+}
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java
new file mode 100644
index 00000000000..c8784b32fcb
--- /dev/null
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/csp/package-info.java
@@ -0,0 +1,8 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+/**
+ * @author freva
+ */
+@ExportPackage
+package com.yahoo.jdisc.http.filter.security.csp;
+
+import com.yahoo.osgi.annotation.ExportPackage;
-- 
cgit v1.2.3