Example 1 with ContentSecurityPolicyBuilder
use of org.keycloak.models.ContentSecurityPolicyBuilder in project keycloak by keycloak.
the class DefaultSecurityHeadersProvider method addHtmlHeaders.
private void addHtmlHeaders(MultivaluedMap<String, Object> headers) {
for (BrowserSecurityHeaders header : BrowserSecurityHeaders.values()) {
addHeader(header, headers);
}
// TODO This will be refactored as part of introducing a more strict CSP header
if (options != null) {
ContentSecurityPolicyBuilder csp = ContentSecurityPolicyBuilder.create();
if (options.isAllowAnyFrameAncestor()) {
headers.remove(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName());
csp.frameAncestors(null);
}
String allowedFrameSrc = options.getAllowedFrameSrc();
if (allowedFrameSrc != null) {
csp.frameSrc(allowedFrameSrc);
}
if (CONTENT_SECURITY_POLICY.getDefaultValue().equals(headers.getFirst(CONTENT_SECURITY_POLICY.getHeaderName()))) {
headers.putSingle(CONTENT_SECURITY_POLICY.getHeaderName(), csp.build());
}
}
}
Also used :
ContentSecurityPolicyBuilder(org.keycloak.models.ContentSecurityPolicyBuilder)
BrowserSecurityHeaders(org.keycloak.models.BrowserSecurityHeaders)
Aggregations
BrowserSecurityHeaders (org.keycloak.models.BrowserSecurityHeaders)1
ContentSecurityPolicyBuilder (org.keycloak.models.ContentSecurityPolicyBuilder)1
