CLOUDSTACK-9833: Added content security policy in HTTP servlet response to detect and mitigate certain type of attacks.

Restricted image source, style sheets, java scripts, URLs to be loaded only from self.
2017-05-17 10:50:23 +05:30 · 2017-05-17 10:50:23 +05:30 · efbb59fe72
parent d2fe2332d3
commit efbb59fe72
1 changed files with 11 additions and 0 deletions
--- a/utils/src/main/java/com/cloud/utils/HttpUtils.java
+++ b/utils/src/main/java/com/cloud/utils/HttpUtils.java
@ -50,6 +50,17 @@ public class HttpUtils {
        else {
            resp.addHeader("X-XSS-Protection", "1;mode=block");
        }
+
+        if (resp.containsHeader("content-security-policy")) {
+            resp.setIntHeader("content-security-policy", 1);
+        }else {
+            resp.addIntHeader("content-security-policy", 1);
+        }
+        resp.addHeader("content-security-policy","default-src=none");
+        resp.addHeader("content-security-policy","script-src=self");
+        resp.addHeader("content-security-policy","connect-src=self");
+        resp.addHeader("content-security-policy","img-src=self");
+        resp.addHeader("content-security-policy","style-src=self");
    }

    public static void writeHttpResponse(final HttpServletResponse resp, final String response,