Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently "X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0". This commits adds the ability to configure the xssProtection header value in ServerHttpSecurity. This commit deprecates the use of "enabled" and "block" booleans to configure XSS protection, as the state "!enabled + block" is invalid. This impacts HttpSecurity. Issue gh-9631
This commit is contained in:
committed by
Steve Riesenberg
parent
7b1158ddb7
commit
93250013e4
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -94,4 +94,34 @@ public class XXssProtectionHeaderWriterTests {
|
||||
assertThat(this.response.getHeader(XSS_PROTECTION_HEADER)).isSameAs(value);
|
||||
}
|
||||
|
||||
@Test
|
||||
void writeHeaderWhenDisabled() {
|
||||
this.writer.setHeaderValue(XXssProtectionHeaderWriter.HeaderValue.DISABLED);
|
||||
this.writer.writeHeaders(this.request, this.response);
|
||||
assertThat(this.response.getHeaderNames()).hasSize(1);
|
||||
assertThat(this.response.getHeaderValues("X-XSS-Protection")).containsOnly("0");
|
||||
}
|
||||
|
||||
@Test
|
||||
void writeHeaderWhenEnabled() {
|
||||
this.writer.setHeaderValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED);
|
||||
this.writer.writeHeaders(this.request, this.response);
|
||||
assertThat(this.response.getHeaderNames()).hasSize(1);
|
||||
assertThat(this.response.getHeaderValues("X-XSS-Protection")).containsOnly("1");
|
||||
}
|
||||
|
||||
@Test
|
||||
void writeHeaderWhenEnabledModeBlock() {
|
||||
this.writer.setHeaderValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK);
|
||||
this.writer.writeHeaders(this.request, this.response);
|
||||
assertThat(this.response.getHeaderNames()).hasSize(1);
|
||||
assertThat(this.response.getHeaderValues("X-XSS-Protection")).containsOnly("1; mode=block");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setHeaderValueNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.writer.setHeaderValue(null))
|
||||
.withMessage("headerValue cannot be null");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -24,6 +24,7 @@ import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
@@ -37,6 +38,12 @@ public class XXssProtectionServerHttpHeadersWriterTests {
|
||||
|
||||
XXssProtectionServerHttpHeadersWriter writer = new XXssProtectionServerHttpHeadersWriter();
|
||||
|
||||
@Test
|
||||
void setHeaderValueNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.writer.setHeaderValue(null))
|
||||
.withMessage("headerValue cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void writeHeadersWhenNoHeadersThenWriteHeaders() {
|
||||
this.writer.writeHttpHeaders(this.exchange);
|
||||
@@ -70,4 +77,29 @@ public class XXssProtectionServerHttpHeadersWriterTests {
|
||||
assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly(headerValue);
|
||||
}
|
||||
|
||||
@Test
|
||||
void writeHeadersWhenDisabledThenWriteHeaders() {
|
||||
this.writer.setHeaderValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.DISABLED);
|
||||
this.writer.writeHttpHeaders(this.exchange);
|
||||
assertThat(this.headers).hasSize(1);
|
||||
assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("0");
|
||||
}
|
||||
|
||||
@Test
|
||||
void writeHeadersWhenEnabledThenWriteHeaders() {
|
||||
this.writer.setHeaderValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.ENABLED);
|
||||
this.writer.writeHttpHeaders(this.exchange);
|
||||
assertThat(this.headers).hasSize(1);
|
||||
assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("1");
|
||||
}
|
||||
|
||||
@Test
|
||||
void writeHeadersWhenEnabledModeBlockThenWriteHeaders() {
|
||||
this.writer.setHeaderValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.ENABLED_MODE_BLOCK);
|
||||
this.writer.writeHttpHeaders(this.exchange);
|
||||
assertThat(this.headers).hasSize(1);
|
||||
assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION))
|
||||
.containsOnly("1 ; mode=block");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user