Enable content security policy by default (javamelody#1031)

goldyliang · Mar 17, 2022 · 8a7481b · 8a7481b
1 parent 4fc5efe
commit 8a7481b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/javamelody-core/src/main/java/net/bull/javamelody/Parameter.java b/javamelody-core/src/main/java/net/bull/javamelody/Parameter.java
@@ -211,6 +211,11 @@ public enum Parameter {
 	 */
 	X_FRAME_OPTIONS("x-frame-options"),
 
+	/**
+	 * Parameter to enable or disable the Content Security Policy header (true by default).
+	 */
+	CONTENT_SECURITY_POLICY_ENABLED("content-security-policy-enabled"),
+
 	/**
 	 * Expression régulière (null par défaut) pour restreindre l'accès au monitoring à certaines adresses IP.
 	 */

diff --git a/javamelody-core/src/main/java/net/bull/javamelody/internal/web/HtmlController.java b/javamelody-core/src/main/java/net/bull/javamelody/internal/web/HtmlController.java
@@ -65,6 +65,8 @@
  */
 public class HtmlController {
 	static final String HTML_BODY_FORMAT = "htmlbody";
+	private static final boolean CONTENT_SECURITY_POLICY_ENABLED = Parameter.CONTENT_SECURITY_POLICY_ENABLED
+			.getValue() == null || Parameter.CONTENT_SECURITY_POLICY_ENABLED.getValueAsBoolean();
 	private static final String X_FRAME_OPTIONS = Parameter.X_FRAME_OPTIONS.getValue();
 	private static final RequestToMethodMapper<HtmlController> REQUEST_TO_METHOD_MAPPER = new RequestToMethodMapper<>(
 			HtmlController.class);
@@ -120,6 +122,14 @@ static boolean isLocalCollectNeeded(String part) {
 
 	public static BufferedWriter getWriter(HttpServletResponse httpResponse) throws IOException {
 		httpResponse.setContentType("text/html; charset=UTF-8");
+		if (CONTENT_SECURITY_POLICY_ENABLED) {
+			final String analyticsId = Parameter.ANALYTICS_ID.getValue();
+			final boolean analyticsEnabled = analyticsId != null && !"disabled".equals(analyticsId);
+			httpResponse.setHeader("Content-Security-Policy",
+					"default-src 'self'"
+							+ (analyticsEnabled ? " https://ssl.google-analytics.com" : "")
+							+ "; object-src 'none';");
+		}
 		if (X_FRAME_OPTIONS == null) {
 			// default value of X-Frame-Options is SAMEORIGIN
 			httpResponse.setHeader("X-Frame-Options", "SAMEORIGIN");