From 6cb28a23e58e139dcf7599cdd0fdf6e0e94d85b5 Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Thu, 9 Feb 2023 00:51:44 +0100
Subject: [PATCH 01/15] Enabled CSP with Meta
The rules enforced allow script, image, plus style resources to be loaded from the same origin, and Websocket connection to be established similarly.
---
pw/pw-csp/client/src/index.html | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/pw/pw-csp/client/src/index.html b/pw/pw-csp/client/src/index.html
index 2cdf679a..e865d96a 100644
--- a/pw/pw-csp/client/src/index.html
+++ b/pw/pw-csp/client/src/index.html
@@ -1,10 +1,11 @@
-
+
+
Test
From a5760f79671c9cb05591df951b880bd22abf0c1a Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Thu, 9 Feb 2023 00:55:56 +0100
Subject: [PATCH 02/15] Update CSP rules
Modified to permit inline styles to be inserted on the page and fonts to be fetched from the same origin.
---
pw/pw-csp/client/src/index.html | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pw/pw-csp/client/src/index.html b/pw/pw-csp/client/src/index.html
index e865d96a..22f1b60f 100644
--- a/pw/pw-csp/client/src/index.html
+++ b/pw/pw-csp/client/src/index.html
@@ -4,7 +4,7 @@
From 39da63adff7348db6da49e1a12cb16004e4da633 Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Fri, 10 Feb 2023 01:41:52 +0100
Subject: [PATCH 03/15] Disabled CSP in Meta
To permit the Content-Security-Policy header sent by the server to be taken into consideration.
---
pw/pw-csp/client/src/index.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pw/pw-csp/client/src/index.html b/pw/pw-csp/client/src/index.html
index 22f1b60f..c5cffc03 100644
--- a/pw/pw-csp/client/src/index.html
+++ b/pw/pw-csp/client/src/index.html
@@ -2,10 +2,10 @@
-
+ > -->
Test
From 5ac04e30d45264865a48cced4f8b403d10712592 Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Fri, 10 Feb 2023 01:43:44 +0100
Subject: [PATCH 04/15] Enabled CSP Config
The correct rules are now automatically served from the server upon receiving an HTTP request.
---
.../config/SecurityConfiguration.java | 37 ++++---------------
1 file changed, 8 insertions(+), 29 deletions(-)
diff --git a/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java b/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
index 7b4343bc..7de2c10c 100644
--- a/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
+++ b/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
@@ -105,7 +105,7 @@ protected void configure(HttpSecurity http) throws Exception {
;
// TODO uncomment this line to activate JWT filter
- // setCspConfig(http);
+ setCspConfig(http);
}
@@ -116,34 +116,13 @@ private void setCspConfig(HttpSecurity http) throws Exception {
http
.headers()
.contentSecurityPolicy(
- "script-src" +
- " 'none' "+
- // "'unsafe-eval' 'unsafe-inline' " +
- ";" +
- // add connect-src directive to adapt CSP over cross-origin requests (CORS)
- "connect-src"+
- " 'self'"+
- ";"+
- " style-src" +
- " 'self' 'unsafe-inline'"+
- ";" +
- " font-src" +
- " 'self' "+
- ";" +
- " img-src" +
- " 'self' " +
- ";" +
- " child-src" +
- " 'self' " +
- ";" +
- " object-src" +
- " 'none' " +
- ";" +
- " report-uri" +
- " 'http://localhost:4200' " +
- ";" +
- " default-src" +
- " 'self' ");//.reportOnly();
+ "default-src 'none';" +
+ "connect-src 'self';" +
+ "font-src 'self';" +
+ "img-src 'self';" +
+ "style-src 'self' 'unsafe-inline';" +
+ "script-src 'self' 'unsafe-inline';");
+ //.reportOnly();
}
private JWTConfigurer securityConfigurerAdapter() {
From 03d7cf56ad1279cf2cfb4526bc279fcafad69fa9 Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Fri, 10 Feb 2023 09:18:33 +0100
Subject: [PATCH 05/15] Inserted an Inline script
The added script appends an HTML formatted message to the page.
---
pw/pw-csp/client/src/index.html | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/pw/pw-csp/client/src/index.html b/pw/pw-csp/client/src/index.html
index c5cffc03..e5f168c1 100644
--- a/pw/pw-csp/client/src/index.html
+++ b/pw/pw-csp/client/src/index.html
@@ -19,9 +19,8 @@
Uncomment the line below for PW-CSP solution
- This is inline scripting. Not recommended, only for test purpose !
- To secure inline scripting, use CSP 3 sha256 hash syntax : "script-src ... 'sha256-lK+Y3vDnNUrD/ZPLGsnM6B+euoBxZ/MyiIbY2G5VoPw='
-
+ -->
- -->
From 159d11e699914b3c3bcf874ff905bd1617b02522 Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Fri, 10 Feb 2023 09:34:27 +0100
Subject: [PATCH 06/15] Enable Reporting sample
Get verbose information about blocked scripts and later whitelist them.
---
.../com/worldline/bookstore/config/SecurityConfiguration.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java b/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
index 7de2c10c..dfea90b6 100644
--- a/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
+++ b/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
@@ -121,7 +121,7 @@ private void setCspConfig(HttpSecurity http) throws Exception {
"font-src 'self';" +
"img-src 'self';" +
"style-src 'self' 'unsafe-inline';" +
- "script-src 'self' 'unsafe-inline';");
+ "script-src 'self' 'report-sample';");
//.reportOnly();
}
From 862502dd38715c690bcb883e1d8578e02122745d Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Fri, 10 Feb 2023 10:01:22 +0100
Subject: [PATCH 07/15] Enable Strict CSP
It whitelists a single SHA256 hash for the scripts that invokes document.write().
---
.../com/worldline/bookstore/config/SecurityConfiguration.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java b/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
index dfea90b6..05ee2310 100644
--- a/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
+++ b/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
@@ -121,7 +121,7 @@ private void setCspConfig(HttpSecurity http) throws Exception {
"font-src 'self';" +
"img-src 'self';" +
"style-src 'self' 'unsafe-inline';" +
- "script-src 'self' 'report-sample';");
+ "script-src 'sha256-lK+Y3vDnNUrD/ZPLGsnM6B+euoBxZ/MyiIbY2G5VoPw=' 'strict-dynamic';");
//.reportOnly();
}
From 22b1774222d6fa425e911e37fbbee58026c506c8 Mon Sep 17 00:00:00 2001
From: MathisMontegnies <71728967+MathisMontegnies@users.noreply.github.com>
Date: Sat, 11 Feb 2023 14:17:58 +0100
Subject: [PATCH 08/15] Fixed dependencies
Timed annotation seems to be missing, a dependency for metrics-annotation has been added.
---
pw/pw-csp-nonce/server/pom.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pw/pw-csp-nonce/server/pom.xml b/pw/pw-csp-nonce/server/pom.xml
index cf2a3b68..a7a38f1e 100644
--- a/pw/pw-csp-nonce/server/pom.xml
+++ b/pw/pw-csp-nonce/server/pom.xml
@@ -271,6 +271,12 @@
spring-boot-starter-validation
+
+ io.dropwizard.metrics
+ metrics-annotation
+ 4.2.15
+
+
org.springframework.boot
spring-boot-starter-web
From 01795566dd3784de860f6baaacea0548e98e1f50 Mon Sep 17 00:00:00 2001
From: MathisMontegnies <71728967+MathisMontegnies@users.noreply.github.com>
Date: Sat, 11 Feb 2023 14:34:31 +0100
Subject: [PATCH 09/15] Implemented CSPResource class
---
.../bookstore/web/rest/CSPResource.java | 61 ++++++++++++++++++-
1 file changed, 60 insertions(+), 1 deletion(-)
diff --git a/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java b/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java
index 44c10b2d..fe4c76ed 100644
--- a/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java
+++ b/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java
@@ -24,6 +24,65 @@
@RestController
@RequestMapping("/api")
public class CSPResource {
+ private final Logger log = LoggerFactory.getLogger(CSPResource.class);
-
+ /** Used for Script Nonce */
+ private SecureRandom prng = null;
+
+ @GetMapping("/csp")
+ @Timed
+ // Add Script Nonce CSP Policy
+ public ResponseEntity generateCSP(HttpServletResponse response) {
+ // --Get its digest
+ MessageDigest sha;
+ // --Generate a random number
+ String randomNum;
+ try {
+ this.prng = SecureRandom.getInstance("SHA1PRNG");
+ randomNum = new Integer(this.prng.nextInt()).toString();
+ sha = MessageDigest.getInstance("SHA-1");
+ }
+ catch (NoSuchAlgorithmException e) {
+ return new ResponseEntity<>(Collections.singletonMap("CSPException",e.getLocalizedMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
+ }
+
+ byte[] digest = sha.digest(randomNum.getBytes());
+
+ // --Encode it into HEXA
+ char[] scriptNonce = Hex.encode(digest);
+
+ String csp = "script-src" +
+ " 'unsafe-eval' 'strict-dynamic' " +
+ " 'nonce-"+String.valueOf(scriptNonce)+"'" +
+ " 'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='" + // SRI hashes for https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js (work only for Chrome)
+ ";" +
+ // add connect-src directive to adapt CSP over cross-origin requests (CORS)
+ "connect-src"+
+ " http://localhost:8080 http://localhost:4200 ws://localhost:4200"
+ + ";"+
+ " style-src" +
+ " 'self' 'unsafe-inline'"+
+ ";" +
+ " font-src" +
+ " 'self' "+
+ ";" +
+ " img-src" +
+ " 'self' data:" +
+ ";" +
+ " child-src" +
+ " 'self' " +
+ ";" +
+ " object-src" +
+ " 'none' " +
+ ";" +
+ " default-src" +
+ " 'self' ";
+
+ CSP conf = new CSP(csp);
+ conf.setNonce(String.valueOf(scriptNonce));
+
+ log.debug(conf.toString());
+ return ResponseEntity.ok(conf);
+ }
+ }
}
From 87315d8560fc2b515f5dbb30a677f1bb638c7097 Mon Sep 17 00:00:00 2001
From: MathisMontegnies <71728967+MathisMontegnies@users.noreply.github.com>
Date: Sat, 11 Feb 2023 14:35:42 +0100
Subject: [PATCH 10/15] Implemented CSP class
---
.../src/main/java/com/worldline/bookstore/web/rest/CSP.java | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSP.java b/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSP.java
index 8b8474eb..d060fc95 100644
--- a/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSP.java
+++ b/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSP.java
@@ -1,8 +1,7 @@
package com.worldline.bookstore.web.rest;
public class CSP {
-
- /*private String value;
+ private String value;
private String nonce;
public String getNonce() {
@@ -29,5 +28,5 @@ public void setValue(String value) {
@Override
public String toString() {
return "CSP [value=" + value + ", nonce=" + nonce + "]";
- }*/
+ }
}
From 6d538b20d558bccb76ce761a727dfd81ecab860d Mon Sep 17 00:00:00 2001
From: MathisMontegnies <71728967+MathisMontegnies@users.noreply.github.com>
Date: Sat, 11 Feb 2023 14:58:14 +0100
Subject: [PATCH 11/15] Created CSPConfig class
A class that acquires the random CSP nonce from the server using the API.
---
.../src/app/services/cspConfigService.ts | 28 +++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts b/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts
index ce133679..a466109b 100644
--- a/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts
+++ b/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts
@@ -5,5 +5,33 @@ import { HttpClient, HttpResponse } from '@angular/common/http';
// This service gets the Content-Security-Policy and a random nonce from a REST api endpoint /api/csp
export class CspConfig {
+ private _config: any;
+ private _nonce: any;
+ private http: HttpClient;
+ // can't use classical Angular DI for HttpClient here, because of "cyclic dependency" issues
+ // Use Injector service to instanciate HttpClient
+ constructor(injector: Injector) {
+ this.http = injector.get(HttpClient);
+ }
+
+ // Load Content-Security-Policy from a REST api endpoint
+ // The returned data will contain the CSP configuration ('value') and the a random generated nonce ('nonce')
+ load(): Promise {
+ return this.http.get('/api/csp')
+ .toPromise()
+ .then(data => {
+ this._config = data['value'];
+ this._nonce = data['nonce'];
+ return data;
+ })
+ }
+
+ get config(): any {
+ return this._config;
+ }
+
+ get nonce(): any {
+ return this._nonce;
+ }
}
From 02d220e050d10b5461317cbf12f9fe6e6ea054ee Mon Sep 17 00:00:00 2001
From: MathisMontegnies <71728967+MathisMontegnies@users.noreply.github.com>
Date: Sat, 11 Feb 2023 15:15:17 +0100
Subject: [PATCH 12/15] Loosened type for data
To remove Typescript errors, data is now of type any with no further checks.
---
.../client/src/app/services/cspConfigService.ts | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts b/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts
index a466109b..64fd5a8d 100644
--- a/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts
+++ b/pw/pw-csp-nonce/client/src/app/services/cspConfigService.ts
@@ -3,6 +3,7 @@ import { HttpClient, HttpResponse } from '@angular/common/http';
@Injectable()
// This service gets the Content-Security-Policy and a random nonce from a REST api endpoint /api/csp
+
export class CspConfig {
private _config: any;
@@ -20,9 +21,9 @@ export class CspConfig {
load(): Promise {
return this.http.get('/api/csp')
.toPromise()
- .then(data => {
- this._config = data['value'];
- this._nonce = data['nonce'];
+ .then((data: any) => {
+ this._config = data['value'] ?? '';
+ this._nonce = data['nonce'] ?? '';
return data;
})
}
From 40b4451aeac08504203695b03a36fcd6cf503e45 Mon Sep 17 00:00:00 2001
From: MathisMontegnies <71728967+MathisMontegnies@users.noreply.github.com>
Date: Sat, 11 Feb 2023 15:16:30 +0100
Subject: [PATCH 13/15] Referenced CspConfig
Now it's one of the providers and dependency injection can be used afterwards.
---
pw/pw-csp-nonce/client/src/app/app.module.ts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/pw/pw-csp-nonce/client/src/app/app.module.ts b/pw/pw-csp-nonce/client/src/app/app.module.ts
index 78f979d7..5baa086a 100644
--- a/pw/pw-csp-nonce/client/src/app/app.module.ts
+++ b/pw/pw-csp-nonce/client/src/app/app.module.ts
@@ -14,6 +14,7 @@ import { FormsModule, ReactiveFormsModule } from '@angular/forms';
import { Router } from '@angular/router';
+import { CspConfig } from './services/cspConfigService';
import { UserService } from './services/userService';
import { BooksService } from './services/booksService';
import { DataContainerService } from './services/dataContainerService';
@@ -50,6 +51,7 @@ import { Login } from './login/login';
],
providers: [
UserService,
+ CspConfig,
BooksService,
DataContainerService,
ContactService,
From 2277661c624a4fb6eaa213ec1bc2bbfef202b01e Mon Sep 17 00:00:00 2001
From: MathisMontegnies <71728967+MathisMontegnies@users.noreply.github.com>
Date: Sat, 11 Feb 2023 15:28:56 +0100
Subject: [PATCH 14/15] Created AppComponent constructor
Now it makes use of the CspConfig service and displays the CSP nonce on the debug console.
---
.../client/src/app/app.component.ts | 47 ++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)
diff --git a/pw/pw-csp-nonce/client/src/app/app.component.ts b/pw/pw-csp-nonce/client/src/app/app.component.ts
index 8f99046d..f7bb53e3 100644
--- a/pw/pw-csp-nonce/client/src/app/app.component.ts
+++ b/pw/pw-csp-nonce/client/src/app/app.component.ts
@@ -1,5 +1,6 @@
import { Component } from '@angular/core';
import { Router } from '@angular/router';
+import { CspConfig } from './services/cspConfigService';
import { UserService } from './services/userService';
@Component({
@@ -9,7 +10,51 @@ import { UserService } from './services/userService';
providers: [],
})
export class AppComponent {
- constructor(private router: Router, public userService: UserService) {}
+ private csp: string;
+ private nonce: string;
+
+ constructor(
+ private router: Router,
+ public userService: UserService,
+ public cspConfig: CspConfig) {
+ this.csp = this.nonce = '';
+
+ cspConfig.load().then(
+ data => {
+ this.csp = data['value'];
+ this.nonce = data['nonce'];
+
+ console.debug('csp : ' + this.csp);
+ console.debug('nonce : ' + this.nonce);
+
+ // can't use the Meta#addTags() method to set CSP because it will insert the meta tag too late, so we add it "manually"
+ var meta = "";
+ this.renderHtml(meta, 'head');
+ console.log('content-security-policy meta : ' + meta);
+
+ // Add secure inline scripting (a script block with a nonce)
+ // The script will just render a message at the bottom of the page
+ // (here, we don't use document.write method otherwise it will replace the whole page rendering)
+ var yourHtmlString =
+ "";
+ this.renderHtml(yourHtmlString, 'head');
+ console.log('inline scripting !!! ', yourHtmlString);
+ });
+ }
+
+ /**
+ *
+ * Renders an html portion inside a given html tag
+ * @param message: a string which represents the html portion to render in the page
+ * @param parentTag : the html tag name in which the html portion will be inserted as a first child
+ */
+ private renderHtml(message: string, parentTag: string) {
+ var fragment = document.createRange().createContextualFragment(message);
+ document.getElementsByTagName(parentTag)[0].appendChild(fragment);
+ }
logout() {
this.userService.logout();
From 58389fb915762cc3fd26214971fc9b416ebca66b Mon Sep 17 00:00:00 2001
From: imm8 <109025614+imm8@users.noreply.github.com>
Date: Sat, 11 Feb 2023 16:45:06 +0100
Subject: [PATCH 15/15] Fixed CSPResource class
Removed an additional closing bracket.
---
.../bookstore/web/rest/CSPResource.java | 99 +++++++++----------
1 file changed, 49 insertions(+), 50 deletions(-)
diff --git a/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java b/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java
index fe4c76ed..08e7bccf 100644
--- a/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java
+++ b/pw/pw-csp-nonce/server/src/main/java/com/worldline/bookstore/web/rest/CSPResource.java
@@ -29,60 +29,59 @@ public class CSPResource {
/** Used for Script Nonce */
private SecureRandom prng = null;
- @GetMapping("/csp")
- @Timed
- // Add Script Nonce CSP Policy
- public ResponseEntity generateCSP(HttpServletResponse response) {
- // --Get its digest
- MessageDigest sha;
- // --Generate a random number
- String randomNum;
- try {
- this.prng = SecureRandom.getInstance("SHA1PRNG");
- randomNum = new Integer(this.prng.nextInt()).toString();
- sha = MessageDigest.getInstance("SHA-1");
- }
- catch (NoSuchAlgorithmException e) {
- return new ResponseEntity<>(Collections.singletonMap("CSPException",e.getLocalizedMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
- }
+ @GetMapping("/csp")
+ @Timed
+ // Add Script Nonce CSP Policy
+ public ResponseEntity generateCSP(HttpServletResponse response) {
+ // --Get its digest
+ MessageDigest sha;
+ // --Generate a random number
+ String randomNum;
+ try {
+ this.prng = SecureRandom.getInstance("SHA1PRNG");
+ randomNum = new Integer(this.prng.nextInt()).toString();
+ sha = MessageDigest.getInstance("SHA-1");
+ }
+ catch (NoSuchAlgorithmException e) {
+ return new ResponseEntity<>(Collections.singletonMap("CSPException",e.getLocalizedMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
+ }
- byte[] digest = sha.digest(randomNum.getBytes());
+ byte[] digest = sha.digest(randomNum.getBytes());
- // --Encode it into HEXA
- char[] scriptNonce = Hex.encode(digest);
+ // --Encode it into HEXA
+ char[] scriptNonce = Hex.encode(digest);
- String csp = "script-src" +
- " 'unsafe-eval' 'strict-dynamic' " +
- " 'nonce-"+String.valueOf(scriptNonce)+"'" +
- " 'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='" + // SRI hashes for https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js (work only for Chrome)
- ";" +
- // add connect-src directive to adapt CSP over cross-origin requests (CORS)
- "connect-src"+
- " http://localhost:8080 http://localhost:4200 ws://localhost:4200"
- + ";"+
- " style-src" +
- " 'self' 'unsafe-inline'"+
- ";" +
- " font-src" +
- " 'self' "+
- ";" +
- " img-src" +
- " 'self' data:" +
- ";" +
- " child-src" +
- " 'self' " +
- ";" +
- " object-src" +
- " 'none' " +
- ";" +
- " default-src" +
- " 'self' ";
+ String csp = "script-src" +
+ " 'unsafe-eval' 'strict-dynamic' " +
+ " 'nonce-"+String.valueOf(scriptNonce)+"'" +
+ " 'sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4='" + // SRI hashes for https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js (work only for Chrome)
+ ";" +
+ // add connect-src directive to adapt CSP over cross-origin requests (CORS)
+ "connect-src"+
+ " http://localhost:8080 http://localhost:4200 ws://localhost:4200"
+ + ";"+
+ " style-src" +
+ " 'self' 'unsafe-inline'"+
+ ";" +
+ " font-src" +
+ " 'self' "+
+ ";" +
+ " img-src" +
+ " 'self' data:" +
+ ";" +
+ " child-src" +
+ " 'self' " +
+ ";" +
+ " object-src" +
+ " 'none' " +
+ ";" +
+ " default-src" +
+ " 'self' ";
- CSP conf = new CSP(csp);
- conf.setNonce(String.valueOf(scriptNonce));
+ CSP conf = new CSP(csp);
+ conf.setNonce(String.valueOf(scriptNonce));
- log.debug(conf.toString());
- return ResponseEntity.ok(conf);
- }
+ log.debug(conf.toString());
+ return ResponseEntity.ok(conf);
}
}