Add reactive support for Content-Security-Policy security header

This commit is contained in:
Vedran Pavic
2018-08-20 07:36:16 +02:00
committed by Rob Winch
parent 29cfc3dd1d
commit 10621a0f2c
4 changed files with 253 additions and 1 deletions

View File

@@ -27,6 +27,7 @@ import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
import org.springframework.security.web.server.header.ContentSecurityPolicyServerHttpHeadersWriter;
import org.springframework.security.web.server.header.ContentTypeOptionsServerHttpHeadersWriter;
import org.springframework.security.web.server.header.FeaturePolicyServerHttpHeadersWriter;
import org.springframework.security.web.server.header.StrictTransportSecurityServerHttpHeadersWriter;
@@ -153,11 +154,23 @@ public class HeaderSpecTests {
String policyDirectives = "Feature-Policy";
this.expectedHeaders.add(FeaturePolicyServerHttpHeadersWriter.FEATURE_POLICY,
policyDirectives);
this.headers.featurePolicy(policyDirectives);
assertHeaders();
}
@Test
public void headersWhenContentSecurityPolicyEnabledThenFeaturePolicyWritten() {
String policyDirectives = "default-src 'self'";
this.expectedHeaders.add(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY,
policyDirectives);
this.headers.contentSecurityPolicy(policyDirectives);
assertHeaders();
}
private void expectHeaderNamesNotPresent(String... headerNames) {
for(String headerName : headerNames) {
this.expectedHeaders.remove(headerName);