Example 1 with ContentSecurityPolicy
use of org.eclipse.scout.rt.server.commons.servlet.ContentSecurityPolicy in project scout.rt by eclipse.
the class BrowserFieldContentHttpResponseInterceptor method intercept.
@Override
public void intercept(HttpServletRequest req, HttpServletResponse resp) {
ContentSecurityPolicy csp = BEANS.get(ContentSecurityPolicy.class).appendScriptSrc("'unsafe-inline'");
// Bug in Chrome: CSP 'self' is not interpreted correctly in sandboxed iframes, see https://bugs.chromium.org/p/chromium/issues/detail?id=443444
// Workaround: Add resolved URI to image and style CSP directive to allow loading of images and styles from same origin as nested iframe in browser field
HttpClientInfo httpClientInfo = HttpClientInfo.get(req);
if (httpClientInfo.isWebkit()) {
String resolvedSelfUri = m_browserUri.toString();
csp.appendImgSrc(resolvedSelfUri).appendStyleSrc(resolvedSelfUri);
}
String cspToken = csp.toToken();
if (httpClientInfo.isMshtml()) {
resp.setHeader(HttpServletControl.HTTP_HEADER_CSP_LEGACY, cspToken);
} else {
resp.setHeader(HttpServletControl.HTTP_HEADER_CSP, cspToken);
}
}
Also used :
ContentSecurityPolicy(org.eclipse.scout.rt.server.commons.servlet.ContentSecurityPolicy)
HttpClientInfo(org.eclipse.scout.rt.server.commons.servlet.HttpClientInfo)
Aggregations
ContentSecurityPolicy (org.eclipse.scout.rt.server.commons.servlet.ContentSecurityPolicy)1
HttpClientInfo (org.eclipse.scout.rt.server.commons.servlet.HttpClientInfo)1
