Default X-Xss-Protection header value to "0"
Closes gh-9631
This commit is contained in:
Daniel Garnier-Moiroux
committed by
Steve Riesenberg
Steve Riesenberg
parent
dcda899c8c
commit
27059ced87
+2
-50
@@ -29,6 +29,7 @@ import org.springframework.util.Assert;
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @author Ankur Pathak
|
||||
* @author Daniel Garnier-Moiroux
|
||||
* @since 3.2
|
||||
*/
|
||||
public final class XXssProtectionHeaderWriter implements HeaderWriter {
|
||||
@@ -41,7 +42,7 @@ public final class XXssProtectionHeaderWriter implements HeaderWriter {
|
||||
* Create a new instance
|
||||
*/
|
||||
public XXssProtectionHeaderWriter() {
|
||||
this.headerValue = HeaderValue.ENABLED_MODE_BLOCK;
|
||||
this.headerValue = HeaderValue.DISABLED;
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -51,55 +52,6 @@ public final class XXssProtectionHeaderWriter implements HeaderWriter {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* If true, will contain a value of 1. For example:
|
||||
*
|
||||
* <pre>
|
||||
* X-XSS-Protection: 1
|
||||
* </pre>
|
||||
*
|
||||
* or if {@link #setBlock(boolean)} is true
|
||||
*
|
||||
*
|
||||
* <pre>
|
||||
* X-XSS-Protection: 1; mode=block
|
||||
* </pre>
|
||||
*
|
||||
* If false, will explicitly disable specify that X-XSS-Protection is disabled. For
|
||||
* example:
|
||||
*
|
||||
* <pre>
|
||||
* X-XSS-Protection: 0
|
||||
* </pre>
|
||||
* @param enabled the new value
|
||||
* @deprecated use {@link XXssProtectionHeaderWriter#setHeaderValue(HeaderValue)}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public void setEnabled(boolean enabled) {
|
||||
if (!enabled) {
|
||||
this.headerValue = HeaderValue.DISABLED;
|
||||
}
|
||||
else if (this.headerValue == HeaderValue.DISABLED) {
|
||||
this.headerValue = HeaderValue.ENABLED;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* If false, will not specify the mode as blocked. In this instance, any content will
|
||||
* be attempted to be fixed. If true, the content will be replaced with "#".
|
||||
* @param block the new value
|
||||
* @deprecated use {@link XXssProtectionHeaderWriter#setHeaderValue(HeaderValue)}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public void setBlock(boolean block) {
|
||||
if (this.headerValue == HeaderValue.DISABLED && block) {
|
||||
throw new IllegalArgumentException("Cannot set block to true with enabled false");
|
||||
}
|
||||
this.headerValue = block ? HeaderValue.ENABLED_MODE_BLOCK : HeaderValue.ENABLED;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the value of the X-XSS-PROTECTION header.
|
||||
* <p>
|
||||
|
||||
+3
-52
@@ -41,7 +41,7 @@ public class XXssProtectionServerHttpHeadersWriter implements ServerHttpHeadersW
|
||||
* Creates a new instance
|
||||
*/
|
||||
public XXssProtectionServerHttpHeadersWriter() {
|
||||
this.headerValue = HeaderValue.ENABLED_MODE_BLOCK;
|
||||
this.headerValue = HeaderValue.DISABLED;
|
||||
updateDelegate();
|
||||
}
|
||||
|
||||
@@ -51,57 +51,8 @@ public class XXssProtectionServerHttpHeadersWriter implements ServerHttpHeadersW
|
||||
}
|
||||
|
||||
/**
|
||||
* If true, will contain a value of 1. For example:
|
||||
*
|
||||
* <pre>
|
||||
* X-XSS-Protection: 1
|
||||
* </pre>
|
||||
*
|
||||
* or if {@link #setBlock(boolean)} is true
|
||||
*
|
||||
*
|
||||
* <pre>
|
||||
* X-XSS-Protection: 1; mode=block
|
||||
* </pre>
|
||||
*
|
||||
* If false, will explicitly disable specify that X-XSS-Protection is disabled. For
|
||||
* example:
|
||||
*
|
||||
* <pre>
|
||||
* X-XSS-Protection: 0
|
||||
* </pre>
|
||||
* @param enabled the new value
|
||||
* @deprecated use
|
||||
* {@link XXssProtectionServerHttpHeadersWriter#setHeaderValue(HeaderValue)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public void setEnabled(boolean enabled) {
|
||||
if (!enabled) {
|
||||
this.headerValue = HeaderValue.DISABLED;
|
||||
}
|
||||
else if (this.headerValue == HeaderValue.DISABLED) {
|
||||
this.headerValue = HeaderValue.ENABLED;
|
||||
}
|
||||
updateDelegate();
|
||||
}
|
||||
|
||||
/**
|
||||
* If false, will not specify the mode as blocked. In this instance, any content will
|
||||
* be attempted to be fixed. If true, the content will be replaced with "#".
|
||||
* @param block the new value
|
||||
* @deprecated use
|
||||
* {@link XXssProtectionServerHttpHeadersWriter#setHeaderValue(HeaderValue)} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public void setBlock(boolean block) {
|
||||
Assert.isTrue(this.headerValue != HeaderValue.DISABLED || !block,
|
||||
"Cannot set block to true with enabled false");
|
||||
this.headerValue = block ? HeaderValue.ENABLED_MODE_BLOCK : HeaderValue.ENABLED;
|
||||
updateDelegate();
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the value of the X-XSS-PROTECTION header.
|
||||
* Sets the value of the X-XSS-PROTECTION header. Defaults to
|
||||
* {@link HeaderValue#DISABLED}
|
||||
* <p>
|
||||
* If {@link HeaderValue#DISABLED}, will specify that X-XSS-Protection is disabled.
|
||||
* For example:
|
||||
|
||||
+1
-32
@@ -28,6 +28,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @author Ankur Pathak
|
||||
* @author Daniel Garnier-Moiroux
|
||||
*
|
||||
*/
|
||||
public class XXssProtectionHeaderWriterTests {
|
||||
@@ -49,43 +50,11 @@ public class XXssProtectionHeaderWriterTests {
|
||||
|
||||
@Test
|
||||
public void writeHeaders() {
|
||||
this.writer.writeHeaders(this.request, this.response);
|
||||
assertThat(this.response.getHeaderNames()).hasSize(1);
|
||||
assertThat(this.response.getHeaderValues("X-XSS-Protection")).containsOnly("1; mode=block");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void writeHeadersNoBlock() {
|
||||
this.writer.setBlock(false);
|
||||
this.writer.writeHeaders(this.request, this.response);
|
||||
assertThat(this.response.getHeaderNames()).hasSize(1);
|
||||
assertThat(this.response.getHeaderValues("X-XSS-Protection")).containsOnly("1");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void writeHeadersDisabled() {
|
||||
this.writer.setBlock(false);
|
||||
this.writer.setEnabled(false);
|
||||
this.writer.writeHeaders(this.request, this.response);
|
||||
assertThat(this.response.getHeaderNames()).hasSize(1);
|
||||
assertThat(this.response.getHeaderValues("X-XSS-Protection")).containsOnly("0");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setEnabledFalseWithBlockTrue() {
|
||||
this.writer.setEnabled(false);
|
||||
this.writer.writeHeaders(this.request, this.response);
|
||||
assertThat(this.response.getHeaderNames()).hasSize(1);
|
||||
assertThat(this.response.getHeaderValues("X-XSS-Protection")).containsOnly("0");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setBlockTrueWithEnabledFalse() {
|
||||
this.writer.setBlock(false);
|
||||
this.writer.setEnabled(false);
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.writer.setBlock(true));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void writeHeaderWhenNotPresent() {
|
||||
String value = new String("value");
|
||||
|
||||
-17
@@ -46,23 +46,6 @@ public class XXssProtectionServerHttpHeadersWriterTests {
|
||||
|
||||
@Test
|
||||
public void writeHeadersWhenNoHeadersThenWriteHeaders() {
|
||||
this.writer.writeHttpHeaders(this.exchange);
|
||||
assertThat(this.headers).hasSize(1);
|
||||
assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION))
|
||||
.containsOnly("1 ; mode=block");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void writeHeadersWhenBlockFalseThenWriteHeaders() {
|
||||
this.writer.setBlock(false);
|
||||
this.writer.writeHttpHeaders(this.exchange);
|
||||
assertThat(this.headers).hasSize(1);
|
||||
assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("1");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void writeHeadersWhenEnabledFalseThenWriteHeaders() {
|
||||
this.writer.setEnabled(false);
|
||||
this.writer.writeHttpHeaders(this.exchange);
|
||||
assertThat(this.headers).hasSize(1);
|
||||
assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("0");
|
||||
|
||||
Reference in New Issue
Block a user