From aec41053201e48de03767b5015027bda4f8ac42e Mon Sep 17 00:00:00 2001 From: alokhyland Date: Sun, 15 Dec 2024 18:19:50 +0530 Subject: [PATCH] WEBUI-1498: Restrict object-src to 'none' in CSP --- .../main/resources/web/nuxeo.war/ui/index.jsp | 38 ++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp b/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp index 8ae91e9612..dc887d0603 100644 --- a/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp +++ b/plugin/web-ui/addon/src/main/resources/web/nuxeo.war/ui/index.jsp @@ -22,6 +22,8 @@ limitations under the License. <%@ page import="org.nuxeo.runtime.api.Framework"%> <%@ page import="org.nuxeo.ecm.core.api.repository.RepositoryManager"%> <%@ page import="org.nuxeo.common.utils.UserAgentMatcher"%> +<%@ page import="javax.servlet.http.HttpServletResponse" %> + <% String ua = request.getHeader("user-agent"); @@ -36,7 +38,42 @@ limitations under the License. } else { baseUrl = context + "/repo/" + repository + "/ui/"; } + HttpServletResponse resp = (HttpServletResponse) pageContext.getResponse(); String NX_NONCE_VALUE = UUID.randomUUID().toString(); + String updatedScriptSrcStr = "'self' 'strict-dynamic' 'nonce-" + NX_NONCE_VALUE + "'"; + String cspHeader = resp.getHeader("Content-Security-Policy"); + String newCspHeader = ""; + boolean isExistingCspHeaderEmpty = false; + if(cspHeader != null || cspHeader.trim().isEmpty()) { + isExistingCspHeaderEmpty = true; + cspHeader = ""; + } + String scriptSrc = ""; + String directive = null; + String[] directives = cspHeader.split(";"); + boolean foundScriptSrcMatch = false; + boolean foundObjectSrcMatch = false; + for (int i = 0; i < directives.length; i++) { + directive = directives[i].trim(); + if (directive.startsWith("script-src ")) { + foundScriptSrcMatch = true; + directive = directive.trim() + " " + updatedScriptSrcStr; + directives[i] = directive; + } + if (directive.startsWith("object-src ")) { + foundObjectSrcMatch = true; + } + } + if(foundScriptSrcMatch) { + newCspHeader = String.join(";", directives); + } + else { + newCspHeader = cspHeader.trim() + (isExistingCspHeaderEmpty ? " script-src " : "; script-src ") + updatedScriptSrcStr; + } + if(!foundObjectSrcMatch){ + newCspHeader = newCspHeader.trim() + "; object-src 'none'"; + } + resp.setHeader("Content-Security-Policy", newCspHeader); %> @@ -46,7 +83,6 @@ limitations under the License. - <%= Framework.getProperty(Environment.PRODUCT_NAME) %>