Merge pull request #7373 from qerub/content-security-policy

* pr/7373:
  Polish content security policy contribution
  Add properties for content security policy

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java

@@ -174,6 +174,20 @@ public class SecurityProperties implements SecurityPrerequisite {
 			NONE, DOMAIN, ALL
 		}
 
+		public enum ContentSecurityPolicyMode {
+
+			/**
+			 * Use the 'Content-Security-Policy' header.
+			 */
+			DEFAULT,
+
+			/**
+			 * Use the 'Content-Security-Policy-Report-Only' header.
+			 */
+			REPORT_ONLY
+
+		}
+
 		/**
 		 * Enable cross site scripting (XSS) protection.
 		 */
@@ -194,6 +208,16 @@ public class SecurityProperties implements SecurityPrerequisite {
 		 */
 		private boolean contentType = true;
 
+		/**
+		 * Value for content security policy header.
+		 */
+		private String contentSecurityPolicy;
+
+		/**
+		 * Security policy mode.
+		 */
+		private ContentSecurityPolicyMode contentSecurityPolicyMode = ContentSecurityPolicyMode.DEFAULT;
+
 		/**
 		 * HTTP Strict Transport Security (HSTS) mode (none, domain, all).
 		 */
@@ -231,6 +255,23 @@ public class SecurityProperties implements SecurityPrerequisite {
 			this.contentType = contentType;
 		}
 
+		public String getContentSecurityPolicy() {
+			return this.contentSecurityPolicy;
+		}
+
+		public void setContentSecurityPolicy(String contentSecurityPolicy) {
+			this.contentSecurityPolicy = contentSecurityPolicy;
+		}
+
+		public ContentSecurityPolicyMode getContentSecurityPolicyMode() {
+			return this.contentSecurityPolicyMode;
+		}
+
+		public void setContentSecurityPolicyMode(
+				ContentSecurityPolicyMode contentSecurityPolicyMode) {
+			this.contentSecurityPolicyMode = contentSecurityPolicyMode;
+		}
+
 		public HSTS getHsts() {
 			return this.hsts;
 		}

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java

@@ -29,6 +29,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers;
+import org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode;
 import org.springframework.boot.autoconfigure.web.ErrorController;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
@@ -108,6 +109,16 @@ public class SpringBootWebSecurityConfiguration {
 		if (!headers.isContentType()) {
 			configurer.contentTypeOptions().disable();
 		}
+		if (StringUtils.hasText(headers.getContentSecurityPolicy())) {
+			String policyDirectives = headers.getContentSecurityPolicy();
+			ContentSecurityPolicyMode mode = headers.getContentSecurityPolicyMode();
+			if (mode == ContentSecurityPolicyMode.DEFAULT) {
+				configurer.contentSecurityPolicy(policyDirectives);
+			}
+			else {
+				configurer.contentSecurityPolicy(policyDirectives).reportOnly();
+			}
+		}
 		if (!headers.isXss()) {
 			configurer.xssProtection().disable();
 		}

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java

@@ -213,7 +213,9 @@ public class SpringBootWebSecurityConfigurationTests {
 				.andExpect(MockMvcResultMatchers.header().string("Cache-Control",
 						is(notNullValue())))
 				.andExpect(MockMvcResultMatchers.header().string("X-Frame-Options",
-						is(notNullValue())));
+						is(notNullValue())))
+				.andExpect(MockMvcResultMatchers.header()
+						.doesNotExist("Content-Security-Policy"));
 	}
 
 	@Test
@@ -239,6 +241,39 @@ public class SpringBootWebSecurityConfigurationTests {
 						MockMvcResultMatchers.header().doesNotExist("X-Frame-Options"));
 	}
 
+	@Test
+	public void contentSecurityPolicyConfiguration() throws Exception {
+		this.context = SpringApplication.run(VanillaWebConfiguration.class,
+				"--security.headers.content-security-policy=default-src 'self';");
+		MockMvc mockMvc = MockMvcBuilders
+				.webAppContextSetup((WebApplicationContext) this.context)
+				.addFilters((FilterChainProxy) this.context
+						.getBean("springSecurityFilterChain", Filter.class))
+				.build();
+		mockMvc.perform(MockMvcRequestBuilders.get("/"))
+				.andExpect(MockMvcResultMatchers.header()
+						.string("Content-Security-Policy", is("default-src 'self';")))
+				.andExpect(MockMvcResultMatchers.header()
+						.doesNotExist("Content-Security-Policy-Report-Only"));
+	}
+
+	@Test
+	public void contentSecurityPolicyReportOnlyConfiguration() throws Exception {
+		this.context = SpringApplication.run(VanillaWebConfiguration.class,
+				"--security.headers.content-security-policy=default-src 'self';",
+				"--security.headers.content-security-policy-mode=report-only");
+		MockMvc mockMvc = MockMvcBuilders
+				.webAppContextSetup((WebApplicationContext) this.context)
+				.addFilters((FilterChainProxy) this.context
+						.getBean("springSecurityFilterChain", Filter.class))
+				.build();
+		mockMvc.perform(MockMvcRequestBuilders.get("/"))
+				.andExpect(MockMvcResultMatchers.header().string(
+						"Content-Security-Policy-Report-Only", is("default-src 'self';")))
+				.andExpect(MockMvcResultMatchers.header()
+						.doesNotExist("Content-Security-Policy"));
+	}
+
 	@Configuration
 	@Import(TestWebConfiguration.class)
 	@Order(Ordered.LOWEST_PRECEDENCE)

spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc

@@ -431,6 +431,8 @@ content into your application; rather pick only the properties that you need.
 	security.filter-order=0 # Security filter chain order.
 	security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST # Security filter chain dispatcher types.
 	security.headers.cache=true # Enable cache control HTTP headers.
+	security.headers.content-security-policy= # Value for content security policy header.
+	security.headers.content-security-policy-mode=default # Content security policy mode (default, report-only).
 	security.headers.content-type=true # Enable "X-Content-Type-Options" header.
 	security.headers.frame=true # Enable "X-Frame-Options" header.
 	security.headers.hsts= # HTTP Strict Transport Security (HSTS) mode (none, domain, all).