From 88b2de5a8520c25993f625aa8035da9c9cfebc98 Mon Sep 17 00:00:00 2001 From: peggimann Date: Thu, 9 Nov 2023 15:23:32 +0100 Subject: [PATCH] implement csp --- .../src/main/java/ch/puzzle/okr/SecurityConfig.java | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java b/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java index e7065447fd..beb7cc5c2c 100644 --- a/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java +++ b/backend/src/main/java/ch/puzzle/okr/SecurityConfig.java @@ -36,13 +36,11 @@ public SecurityFilterChain securityHeadersFilter(HttpSecurity http) throws Excep } private HttpSecurity setHeaders(HttpSecurity http) throws Exception { - http.headers() - .contentSecurityPolicy("default-src 'self';" + " script-src 'self';" - + " style-src 'self';" + " object-src 'none';" + " base-uri 'self';" - + " connect-src 'self';" + " font-src 'self';" + " frame-src 'self';" - + " img-src 'self';" + " manifest-src 'self';" + " media-src 'self';" - + " worker-src 'none';") - .and() + http.headers().contentSecurityPolicy("default-src 'self';" + " script-src 'self';" + + " style-src 'self' unsafe-inline;" + " object-src 'none';" + " base-uri 'self';" + + " connect-src 'self' https://idp-mock-okr.ocp-internal.cloudscale.puzzle.ch; https://sso.puzzle.ch;" + + " font-src 'self';" + " frame-src 'self';" + " img-src 'self';" + + " manifest-src 'self';" + " media-src 'self';" + " worker-src 'none';").and() .crossOriginEmbedderPolicy(coepCustomizer -> coepCustomizer .policy(CrossOriginEmbedderPolicyHeaderWriter.CrossOriginEmbedderPolicy.REQUIRE_CORP).and() .crossOriginOpenerPolicy(coopCustomizer -> coopCustomizer