Add SecurityRules and related code.

SecurityRules provides a way to set security rules like HTTPS requirements and a content security policy, which are in turn served with resources from Lift via headers. Right now, we support Content-Security-Policy and Strict-Transport-Security headers. While a default reporting URI is in place for content security policy violations, there’s not yet any code that handles information sent to that URI.
Fashionbase · Jan 26, 2015 · d3710e4 · d3710e4
1 parent 6ed96fc
commit d3710e4
Show file tree

Hide file tree

Showing 2 changed files with 396 additions and 5 deletions.
diff --git a/web/webkit/src/main/scala/net/liftweb/http/LiftRules.scala b/web/webkit/src/main/scala/net/liftweb/http/LiftRules.scala
@@ -264,6 +264,14 @@ class LiftRules() extends Factory with FormVendor with LazyLoggable {
    */
   val beforeSend = RulesSeq[(BasicResponse, HTTPResponse, List[(String, String)], Box[Req]) => Any]
 
+  private lazy val defaultSecurityRules = SecurityRules()
+  /**
+   * The security rules used by Lift to secure this application. These mostly
+   * relate to HTTPS handling and HTTP `Content-Security-Policy`. See the
+   * `[[SecurityRules]]` documentation for more.
+   */
+  @volatile var securityRules: () => SecurityRules = () => defaultSecurityRules
+
   /**
    * Defines the resources that are protected by authentication and authorization. If this function
    * is not defined for the input data, the resource is considered unprotected ergo no authentication
@@ -1428,10 +1436,10 @@ class LiftRules() extends Factory with FormVendor with LazyLoggable {
   @volatile var defaultHeaders: PartialFunction[(NodeSeq, Req), List[(String, String)]] = {
     case _ =>
       val d = Helpers.nowAsInternetDate
+
       List("Expires" -> d,
            "Date" -> d,
-           "Cache-Control" ->
-           "no-cache, private, no-store",
+           "Cache-Control" -> "no-cache, private, no-store",
            "Pragma" -> "no-cache" )
   }
 
@@ -1634,9 +1642,19 @@ class LiftRules() extends Factory with FormVendor with LazyLoggable {
   @volatile var cometGetTimeout = 140000
 
   /**
-   * Compute the headers to be sent to the browser in addition to anything else that's sent
-   */
-  val supplementalHeaders: FactoryMaker[List[(String, String)]] = new FactoryMaker(() => List(("X-Lift-Version", liftVersion), ("X-Frame-Options", "SAMEORIGIN"))) {}
+   * Compute the headers to be sent to the browser in addition to anything else
+   * that's sent.
+   *
+   * Note that the headers for the applications `SecurityRules` are also set
+   * here, so if you override the supplemental headers, you should
+   * either refer back to the default set or make sure to include
+   * `LiftRules.securityRules.headers`.
+   */
+  val supplementalHeaders: FactoryMaker[List[(String, String)]] = new FactoryMaker(() => {
+    ("X-Lift-Version", liftVersion) ::
+    ("X-Frame-Options", "SAMEORIGIN") ::
+    securityRules().headers
+  }) {}
 
   @volatile var calcIE6ForResponse: () => Boolean = () => S.request.map(_.isIE6) openOr false