From efbb59fe721818ae5721afb9dc27b86499244185 Mon Sep 17 00:00:00 2001
From: Harikrishna Patnala <harikrishna.patnala@accelerite.com>
Date: Wed, 17 May 2017 10:50:23 +0530
Subject: [PATCH] CLOUDSTACK-9833: Added content security policy in HTTP
 servlet response to detect and mitigate certain type of attacks. Restricted
 image source, style sheets, java scripts, URLs to be loaded only from self.

---
 utils/src/main/java/com/cloud/utils/HttpUtils.java | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/utils/src/main/java/com/cloud/utils/HttpUtils.java b/utils/src/main/java/com/cloud/utils/HttpUtils.java
index d2e844a23ea..a5d9f6a16b6 100644
--- a/utils/src/main/java/com/cloud/utils/HttpUtils.java
+++ b/utils/src/main/java/com/cloud/utils/HttpUtils.java
@@ -50,6 +50,17 @@ public class HttpUtils {
         else {
             resp.addHeader("X-XSS-Protection", "1;mode=block");
         }
+
+        if (resp.containsHeader("content-security-policy")) {
+            resp.setIntHeader("content-security-policy", 1);
+        }else {
+            resp.addIntHeader("content-security-policy", 1);
+        }
+        resp.addHeader("content-security-policy","default-src=none");
+        resp.addHeader("content-security-policy","script-src=self");
+        resp.addHeader("content-security-policy","connect-src=self");
+        resp.addHeader("content-security-policy","img-src=self");
+        resp.addHeader("content-security-policy","style-src=self");
     }
 
     public static void writeHttpResponse(final HttpServletResponse resp, final String response,