public class ContentSecurityPolicyManager extends java.lang.Object implements JcmsConstants, JPropertiesListener
The following properties can be defined to configure this implementation :
# Is CSP enabled for this site ? # default is false channel.security.csp.enabled: true # space or coma separated list of jsp (servlet path) excluded from CSP processing # use with care, you should not have to exclude anything !!! # default is empty channel.security.csp.excluded-path: # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification. # Eg "Content-Security-Policy", "X-Content-Security-Policy", "X-WebKit-CSP" to broaden browser support. # default is "Content-Security-Policy" channel.security.csp.csp-header-names: Content-Security-Policy # List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification. # Eg "Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only" to broaden browser support. # default is "Content-Security-Policy-Report-Only" channel.security.csp.csp-report-only-header-names: Content-Security-Policy-Report-Only # Java Format string used to output the "Content-Security-Policy" HTTP Header(s) value # %1s can be used to output a nonce generated for each request # default is empty as a fine tuning is required for each site channel.security.csp.csp-header: # Java Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header(s) value # %1s can be used to output a nonce generated for each request # default is empty as a fine tuning is required for each site channel.security.csp.csp-report-only-header: default-src 'self'; script-src 'self' 'nonce-%1s'; report-uri http://cspbuilder.info/report/124567890123456789/;
| Modifier and Type | Field and Description |
|---|---|
static java.lang.String |
CSP_INITIALIZED_REQUEST_ATTRIBUTE
Request name attribute indicating CSP was initialized for a request.
|
static java.lang.String |
CSP_NONCE_REQUEST_ATTRIBUTE
Request name attribute used to store the nonce computed for a request.
|
protected java.lang.String |
cspHeaderFmt
Format string used to output the "Content-Security-Policy" HTTP Header value
|
protected java.util.List<java.lang.String> |
cspHeaderNameList
List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy" specification.
|
protected java.lang.String |
cspReportOnlyHeaderFmt
Format string used to output the "Content-Security-Policy-Report-Only" HTTP Header value
|
protected java.util.List<java.lang.String> |
cspReportOnlyHeaderNameList
List of HTTP header names to be used to output the header corresponding to "Content-Security-Policy-Report-Only" specification.
|
protected java.util.Set<java.lang.String> |
excludedPathSet
Set of jsp (servlet path) excluded from CSP processing
|
static java.lang.String |
REVISION |
ADATE_SEARCH, ADMIN_NOTES_PROP, ADVANCED_TAB, AJAX_MODE_ATTR, ARCHIVES_DIR, ASCII_WIDTH, CATEGORY_TAB, CDATE_SEARCH, CLASS_PROPERTY, COMMON_ALARM, CONTENT_TAB, COOKIE_MAX_AGE, COUNTRY_SPRITE, CTRL_TOPIC_INTERNAL, CTRL_TOPIC_REF, CTRL_TOPIC_VALUE, CTRL_TOPIC_WRITE, CUSTOM_PROP, DEFAULT_PHOTO_PROP, DOCCHOOSER_HEIGHT, DOCCHOOSER_WIDTH, DOCS_DIR, EDATE_SEARCH, EMAIL_REGEXP, ERROR_MSG, FORBIDDEN_FILE_ACCESS, FORBIDDEN_REDIRECT, FORCE_REDIRECT, GLYPH_ICON_PREFIX, ICON_ARCHIVE, ICON_ICON_PREFIX, ICON_LOCK, ICON_LOCK_STRONG, ICON_PREFIX_PROP, ICON_WARN, ICON_WH_BOOK_CLOSED, ICON_WH_BOOK_OPEN, INFORMATION_MSG, IS_IN_FRONT_OFFICE, JALIOS_JUNIT_PROP, JCMS_CADDY, JCMS_MSG_LIST, JCMS_TOASTR_COLLECTION, JSYNC_DOWNLOAD_DIR, JSYNC_SYNC_ALARM, LANG_SPRITE, LOG_FILE, LOG_TOPIC_SECURITY, LOGGER_PROP, LOGGER_XMLPROP, MBR_PHOTO_DIR, MDATE_SEARCH, MONITOR_XML, OP_CREATE, OP_CREATE_STR, OP_DEEP_COPY, OP_DEEP_COPY_STR, OP_DEEP_DELETE, OP_DEEP_DELETE_STR, OP_DELETE, OP_DELETE_STR, OP_MERGE, OP_MERGE_STR, OP_UPDATE, OP_UPDATE_STR, ORGANIZATION_ROOT_GROUP_PROP, PDATE_SEARCH, PHOTO_DIR, PHOTO_ICON, PHOTO_ICON_HEIGHT, PHOTO_ICON_PROP_PREFIX, PHOTO_ICON_WIDTH, PHOTO_LARGE, PHOTO_LARGE_HEIGHT, PHOTO_LARGE_PROP_PREFIX, PHOTO_LARGE_WIDTH, PHOTO_NORMAL, PHOTO_NORMAL_HEIGHT, PHOTO_NORMAL_PROP_PREFIX, PHOTO_NORMAL_WIDTH, PHOTO_SMALL, PHOTO_SMALL_HEIGHT, PHOTO_SMALL_PROP_PREFIX, PHOTO_SMALL_WIDTH, PHOTO_TINY, PHOTO_TINY_HEIGHT, PHOTO_TINY_PROP_PREFIX, PHOTO_TINY_WIDTH, PREVIOUS_TAB, PRINT_VIEW, PRIVATE_FILE_ACCESS, PUBLIC_FILE_ACCESS, RAW_CONTENT_ICON_PREFIX, READ_RIGHT_TAB, SDATE_SEARCH, SEARCHENGINE_ALARM, SECURITY_LOG_FILE, SESSION_AUTHORIZED_FILENAMES_SET, SPRITE_ICON_PREFIX, STATS_REPORT_DIR, STATUS_PROP, STORE_XML, SUCCESS_MSG, SVG_ICON_PREFIX, SVGINLINE_ICON_PREFIX, TEMPLATE_TAB, THUMBNAIL_LARGE_HEIGHT, THUMBNAIL_LARGE_WIDTH, THUMBNAIL_SMALL_HEIGHT, THUMBNAIL_SMALL_WIDTH, TTCARD_MEDIA_HEIGHT, TTCARD_MEDIA_WIDTH, TYPES_ICON_ALT_PROP, TYPES_ICON_SUFFIX_PROP, TYPES_ICON_TITLE_PROP, TYPES_PREFIX_PROP, TYPES_THUMB_SUFFIX_PROP, UDATE_SEARCH, UPDATE_RIGHT_TAB, UPLOAD_DIR, UPLOAD_PERMISSION_SIZE_PROP_PREFIX, URL_REGEXP, VID_LOGGED_MEMBER, WARNING_MSG, WEBAPP_PROP, WFEXPRESS_ALARM, WFREMINDER_ALARM, WORKFLOW_TAB, WORKFLOW_XMLCRLF, MILLIS_IN_ONE_DAY, MILLIS_IN_ONE_HOUR, MILLIS_IN_ONE_MINUTE, MILLIS_IN_ONE_MONTH, MILLIS_IN_ONE_SECOND, MILLIS_IN_ONE_WEEK, MILLIS_IN_ONE_YEAR| Modifier and Type | Method and Description |
|---|---|
static void |
configure(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Initialize the Content Security Policy for the specified request/response.
|
static ContentSecurityPolicyManager |
getInstance()
Retrieve the singleton instance of this manager.
|
static java.lang.String |
getNonce(javax.servlet.http.HttpServletRequest request)
Retrieve the Content Security Policy nonce value to use in HTML scripts tags.
|
void |
propertiesChange(JProperties properties)
Invoked after properties have been modified in JCMS and save on disk.
|
public static final java.lang.String REVISION
public static final java.lang.String CSP_NONCE_REQUEST_ATTRIBUTE
Corresponding value is a String.
public static final java.lang.String CSP_INITIALIZED_REQUEST_ATTRIBUTE
Corresponding value is a Boolean.
protected java.util.Set<java.lang.String> excludedPathSet
protected java.util.List<java.lang.String> cspHeaderNameList
protected java.util.List<java.lang.String> cspReportOnlyHeaderNameList
protected java.lang.String cspHeaderFmt
protected java.lang.String cspReportOnlyHeaderFmt
public static ContentSecurityPolicyManager getInstance()
public void propertiesChange(JProperties properties)
JPropertiesListenerYou cannot alter the value received in parameters.
Note that properties parameter may be null, a limited set of site properties, or all site properties.
To check that a property has been modified, reload the "current" property instead using channel.getProperties or
channel.getProperty.
propertiesChange in interface JPropertiesListenerproperties - the properties which have been submitted to changepublic static void configure(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
request - the current HttpServletRequest, must not be nullresponse - the current HttpServletResponse, must not be nullpublic static java.lang.String getNonce(javax.servlet.http.HttpServletRequest request)
request - the current request in which nonce was initialized by configure(HttpServletRequest, HttpServletResponse)Copyright © 2001-2022 Jalios SA. All Rights Reserved.