New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIFI-5366 - Added ContentSecurityPolicyFilter which stops framing of … #2989

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@thenatog
Contributor

thenatog commented Sep 4, 2018

…NiFi resources. It applies the Content-Security-Policy header. This protects against clickjacking.

NIFI-5366 - Added unit test. Added single quotes around 'self' for frame-ancestors CSP header.

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

  • Is there a JIRA ticket associated with this PR? Is it referenced
    in the commit message?

  • Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.

  • Has your PR been rebased against the latest commit within the target branch (typically master)?

  • Is your initial contribution a single, squashed commit?

For code changes:

  • Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly?
  • If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly?
  • If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties?

For documentation related changes:

  • Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.

</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-servlet</artifactId>

This comment has been minimized.

@alopresto

alopresto Sep 4, 2018

Contributor

Let's move the non-test dependencies above so they are all together with the compile dependencies and the test dependencies are together. Not a technical necessity, but good for logical grouping and identification.

This comment has been minimized.

@thenatog

thenatog Sep 5, 2018

Contributor

Removed one unnecessary dependency and changed the other to scope test (as it's only used in the unit test).

@alopresto

This comment has been minimized.

Contributor

alopresto commented Sep 4, 2018

Reviewing...

@alopresto

This comment has been minimized.

Contributor

alopresto commented Sep 4, 2018

Verified that the header is present on responses.

Ran contrib-check and all tests pass. +1 if you re-order the dependencies.

NIFI-5366 - Added ContentSecurityPolicyFilter which stops framing of …
…NiFi resources. It applies the Content-Security-Policy header. This protects against clickjacking.

NIFI-5366 - Added unit test. Added single quotes around 'self' for frame-ancestors CSP header.

NIFI-5366 - Fixed dependencies.

@thenatog thenatog force-pushed the thenatog:NIFI-5366-rebased branch from 5ba4798 to b6d065d Sep 5, 2018

@@ -502,6 +503,11 @@ private WebAppContext loadWar(final File warFile, final String contextPath, fina
// add a filter to set the X-Frame-Options filter
webappContext.addFilter(new FilterHolder(FRAME_OPTIONS_FILTER), "/*", EnumSet.allOf(DispatcherType.class));
// add a filter to set the Content Security Policy frame-ancestors directive
FilterHolder cspFilter = new FilterHolder(new ContentSecurityPolicyFilter());

This comment has been minimized.

@alopresto

alopresto Sep 6, 2018

Contributor

From what I can tell by tracing the Jetty code, this is almost equivalent to just assigning the Filter directly via addFilter(). Do you have a resource or documentation that indicates why using a FilterHolder is preferable?

This comment has been minimized.

@thenatog

thenatog Sep 6, 2018

Contributor

I think I thought there was no way to set the Filter name without passing the FilterHolder but it looks like if you pass the classname as a string it will set the filter name. Setting the filter name is helpful for debugging. Looks like most filters being added use the FilterHolder method definition, not exactly sure why however.

@asfgit asfgit closed this in fc14612 Sep 6, 2018

@alopresto

This comment has been minimized.

Contributor

alopresto commented Sep 6, 2018

Thanks for making the requested changes. In general, please try to avoid rebasing in PRs as it loses the history of the interactions. The reviewer/committer should handle that when merging to master.

+1, merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment