Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Content Security Policy Support #3763

Closed
wants to merge 1 commit into from
Closed

Add Content Security Policy Support #3763

wants to merge 1 commit into from

Conversation

jgrandja
Copy link
Contributor

  • Adds CSP support to the Java DSL of HeadersConfigurer
  • Implementation is pretty straight forward but the documentation is important here so please review and provide feedback on whether it's sufficient

rwinch
rwinch reviewed Mar 17, 2016
View reviewed changes
...n/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
this.writer = new ContentSecurityPolicyHeaderWriter(policyDirectives);
} else {
// TODO Allow for over-riding previously set directives? Is this really needed?
this.writer.setPolicyDirectives(policyDirectives);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be removed. User's can always invoke contentSecurityPolicy again.

@rwinch
Copy link
Member

rwinch commented Mar 17, 2016

@pivotal-joe-grandja Thanks for the PR!

I would try to add a link to one or more of the more popular CSP guides (http://www.html5rocks.com/en/tutorials/security/content-security-policy/ or https://developer.mozilla.org/en-US/docs/Web/Security/CSP are nice)

We should also update the headers section of the reference.

Also, we will likely merge all of the CSP stuff at once so feel free to update this PR and squash commits as you get the XML support and documentation updated.

@jgrandja
Copy link
Contributor Author

Ok thanks Rob.
I'll apply those updates.

On Thu, Mar 17, 2016 at 12:04 PM, Rob Winch notifications@github.com
wrote:

@pivotal-joe-grandja https://github.com/pivotal-joe-grandja Thanks for
the PR!

I would try to add a link to one or more of the more popular CSP guides (
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
or https://developer.mozilla.org/en-US/docs/Web/Security/CSP are nice)

We should also update the headers section
https://github.com/spring-projects/spring-security/blob/41c6a797c3303b78a6f1ac6d82efeae3773f680c/docs/manual/src/docs/asciidoc/index.adoc#headers
of the reference.

Also, we will likely merge all of the CSP stuff at once so feel free to
update this PR and squash commits as you get the XML support and
documentation updated.


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#3763 (comment)

@rwinch rwinch changed the title adds Java DSL support for Content Security Policy Add Content Security Policy Support Mar 22, 2016
@rwinch rwinch added the status: duplicate A duplicate of another issue label Mar 22, 2016
@rwinch rwinch added this to the 4.1.0 RC1 milestone Mar 22, 2016
@rwinch
Copy link
Member

rwinch commented Mar 22, 2016

This will fix #2342

rwinch pushed a commit that referenced this pull request Mar 23, 2016
Polish CSP reference
3e47531 
Issue gh-3763
@rwinch rwinch self-assigned this Mar 23, 2016
@rwinch
Copy link
Member

rwinch commented Mar 23, 2016

@pivotal-joe-grandja Thanks for the updates! This is now merged into master via 2f7f2ff

@rwinch rwinch closed this Mar 23, 2016
@jgrandja jgrandja deleted the sec-2117 branch April 18, 2016 13:16
@rwinch rwinch mentioned this pull request Oct 27, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rwinch rwinch

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
4.1.0 RC1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jgrandja @rwinch