WEBUI-1498: Restrict object-src to 'none' in CSP

nuxeo · Dec 16, 2024 · aec4105 · aec4105
1 parent 04fee7c
commit aec4105
Showing 1 changed file with 37 additions and 1 deletion.
diff --git a/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp b/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp
@@ -22,6 +22,8 @@ limitations under the License.
 <%@ page import="org.nuxeo.runtime.api.Framework"%>
 <%@ page import="org.nuxeo.ecm.core.api.repository.RepositoryManager"%>
 <%@ page import="org.nuxeo.common.utils.UserAgentMatcher"%>
+<%@ page import="javax.servlet.http.HttpServletResponse" %>
+
 
 <%
   String ua = request.getHeader("user-agent");
@@ -36,7 +38,42 @@ limitations under the License.
   } else {
     baseUrl = context + "/repo/" + repository + "/ui/";
   }
+  HttpServletResponse resp = (HttpServletResponse) pageContext.getResponse();
   String NX_NONCE_VALUE = UUID.randomUUID().toString();
+  String updatedScriptSrcStr = "'self' 'strict-dynamic' 'nonce-" + NX_NONCE_VALUE + "'";
+  String cspHeader = resp.getHeader("Content-Security-Policy");
+  String newCspHeader = "";
+  boolean isExistingCspHeaderEmpty = false;
+  if(cspHeader != null || cspHeader.trim().isEmpty()) { 
+    isExistingCspHeaderEmpty = true;
+    cspHeader = "";
+   }
+  String scriptSrc = "";
+  String directive = null;
+  String[] directives = cspHeader.split(";");
+  boolean foundScriptSrcMatch = false;
+  boolean foundObjectSrcMatch = false;
+  for (int i = 0; i < directives.length; i++) {
+    directive = directives[i].trim();
+    if (directive.startsWith("script-src ")) {
+        foundScriptSrcMatch = true;
+        directive = directive.trim() + " " + updatedScriptSrcStr;
+        directives[i] = directive;
+    }
+    if (directive.startsWith("object-src ")) {
+      foundObjectSrcMatch = true;
+    }
+  }
+  if(foundScriptSrcMatch) {
+    newCspHeader =  String.join(";", directives);
+  }
+  else {
+    newCspHeader = cspHeader.trim() + (isExistingCspHeaderEmpty ? " script-src " : "; script-src ") + updatedScriptSrcStr;
+  }
+  if(!foundObjectSrcMatch){
+    newCspHeader = newCspHeader.trim() + "; object-src  'none'";
+  }
+  resp.setHeader("Content-Security-Policy", newCspHeader);
 %>
 
 <!DOCTYPE html>
@@ -46,7 +83,6 @@ limitations under the License.
   <meta charset="UTF-8">
   <meta name="description" content="">
   <meta name="viewport" content="width=device-width, initial-scale=1">
-  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-<%= NX_NONCE_VALUE %>' 'strict-dynamic'; object-src 'none'">
 
   <title><%= Framework.getProperty(Environment.PRODUCT_NAME) %></title>