Add Cross Origin Policies headers
Add DSL support for Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers Closes gh-9385, gh-10118
This commit is contained in:
Marcus Da Coregio
committed by
Eleftheria Stein-Kousathana
Eleftheria Stein-Kousathana
parent
7ec3b55ab3
commit
65426a40ec
@@ -378,6 +378,26 @@ Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
|
||||
|
||||
This is a nice clean-up action to perform on logout.
|
||||
|
||||
[[headers-cross-origin-policies]]
|
||||
== Cross-Origin Policies
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Refer to the relevant sections to see how to configure for both <<servlet-headers-cross-origin-policies,servlet>> and <<webflux-headers-cross-origin-policies,webflux>> based applications.
|
||||
====
|
||||
|
||||
Spring Security provides support for some important Cross-Origin Policies headers.
|
||||
Those headers are:
|
||||
|
||||
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy[`Cross-Origin-Opener-Policy`]
|
||||
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy[`Cross-Origin-Embedder-Policy`]
|
||||
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy[`Cross-Origin-Resource-Policy`]
|
||||
|
||||
`Cross-Origin-Opener-Policy` (COOP) allows a top-level document to break the association between its window and any others in the browsing context group (e.g., between a popup and its opener), preventing any direct DOM access between them.
|
||||
|
||||
Enabling `Cross-Origin-Embedder-Policy` (COEP) prevents a document from loading any non-same-origin resources which don't explicitly grant the document permission to be loaded.
|
||||
|
||||
The `Cross-Origin-Resource-Policy` (CORP) header allows you to control the set of origins that are empowered to include a resource. It is a robust defense against attacks like https://meltdownattack.com[Spectre], as it allows browsers to block a given response before it enters an attacker's process.
|
||||
|
||||
[[headers-custom]]
|
||||
== Custom Headers
|
||||
|
||||
@@ -578,3 +578,65 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
[[webflux-headers-cross-origin-policies]]
|
||||
== Cross-Origin Policies
|
||||
|
||||
Spring Security provides built-in support for adding some Cross-Origin policies headers, those headers are:
|
||||
|
||||
[source]
|
||||
----
|
||||
Cross-Origin-Opener-Policy
|
||||
Cross-Origin-Embedder-Policy
|
||||
Cross-Origin-Resource-Policy
|
||||
----
|
||||
|
||||
Spring Security does not add <<headers-cross-origin-policies,Cross-Origin Policies>> headers by default.
|
||||
The headers can be added with the following configuration:
|
||||
|
||||
.Cross-Origin Policies
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableWebFluxSecurity
|
||||
@EnableWebFlux
|
||||
public class WebSecurityConfig {
|
||||
|
||||
@Bean
|
||||
SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
|
||||
http.headers((headers) -> headers
|
||||
.crossOriginOpenerPolicy(CrossOriginOpenerPolicy.SAME_ORIGIN)
|
||||
.crossOriginEmbedderPolicy(CrossOriginEmbedderPolicy.REQUIRE_CORP)
|
||||
.crossOriginResourcePolicy(CrossOriginResourcePolicy.SAME_ORIGIN));
|
||||
return http.build();
|
||||
}
|
||||
}
|
||||
----
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableWebFluxSecurity
|
||||
@EnableWebFlux
|
||||
open class CrossOriginPoliciesCustomConfig {
|
||||
@Bean
|
||||
open fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
||||
return http {
|
||||
headers {
|
||||
crossOriginOpenerPolicy(CrossOriginOpenerPolicy.SAME_ORIGIN)
|
||||
crossOriginEmbedderPolicy(CrossOriginEmbedderPolicy.REQUIRE_CORP)
|
||||
crossOriginResourcePolicy(CrossOriginResourcePolicy.SAME_ORIGIN)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
This configuration will write the headers with the values provided:
|
||||
[source]
|
||||
----
|
||||
Cross-Origin-Opener-Policy: same-origin
|
||||
Cross-Origin-Embedder-Policy: require-corp
|
||||
Cross-Origin-Resource-Policy: same-origin
|
||||
----
|
||||
|
||||
@@ -238,6 +238,9 @@ This allows HTTPS websites to resist impersonation by attackers using mis-issued
|
||||
https://www.w3.org/TR/CSP2/[Content Security Policy (CSP)] is a mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS).
|
||||
** `Referrer-Policy` - Can be set using the <<nsa-referrer-policy,referrer-policy>> element, https://www.w3.org/TR/referrer-policy/[Referrer-Policy] is a mechanism that web applications can leverage to manage the referrer field, which contains the last page the user was on.
|
||||
** `Feature-Policy` - Can be set using the <<nsa-feature-policy,feature-policy>> element, https://wicg.github.io/feature-policy/[Feature-Policy] is a mechanism that allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser.
|
||||
** `Cross-Origin-Opener-Policy` - Can be set using the <<nsa-cross-origin-opener-policy,cross-origin-opener-policy>> element, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy[Cross-Origin-Opener-Policy] is a mechanism that allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
|
||||
** `Cross-Origin-Embedder-Policy` - Can be set using the <<nsa-cross-origin-embedder-policy,cross-origin-embedder-policy>> element, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy[Cross-Origin-Embedder-Policy] is a mechanism that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission.
|
||||
** `Cross-Origin-Resource-Policy` - Can be set using the <<nsa-cross-origin-resource-policy,cross-origin-resource-policy>> element, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy[Cross-Origin-Resource-Policy] is a mechanism that conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource.
|
||||
|
||||
[[nsa-headers-attributes]]
|
||||
=== <headers> Attributes
|
||||
@@ -269,6 +272,9 @@ The default is false (the headers are enabled).
|
||||
* <<nsa-cache-control,cache-control>>
|
||||
* <<nsa-content-security-policy,content-security-policy>>
|
||||
* <<nsa-content-type-options,content-type-options>>
|
||||
* <<nsa-cross-origin-embedder-policy,cross-origin-embedder-policy>>
|
||||
* <<nsa-cross-origin-opener-policy,cross-origin-opener-policy>>
|
||||
* <<nsa-cross-origin-resource-policy,cross-origin-resource-policy>>
|
||||
* <<nsa-feature-policy,feature-policy>>
|
||||
* <<nsa-frame-options,frame-options>>
|
||||
* <<nsa-header,header>>
|
||||
@@ -584,6 +590,66 @@ Default false.
|
||||
|
||||
|
||||
|
||||
[[nsa-cross-origin-embedder-policy]]
|
||||
==== <cross-origin-embedder-policy>
|
||||
When enabled adds the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy[Cross-Origin-Embedder-Policy] header to the response.
|
||||
|
||||
|
||||
[[nsa-cross-origin-embedder-policy-attributes]]
|
||||
===== <cross-origin-embedder-policy> Attributes
|
||||
|
||||
[[nsa-cross-origin-embedder-policy-policy]]
|
||||
* **policy**
|
||||
The policy for the `Cross-Origin-Embedder-Policy` header.
|
||||
|
||||
[[nsa-cross-origin-embedder-policy-parents]]
|
||||
===== Parent Elements of <cross-origin-embedder-policy>
|
||||
|
||||
|
||||
* <<nsa-headers,headers>>
|
||||
|
||||
|
||||
|
||||
[[nsa-cross-origin-opener-policy]]
|
||||
==== <cross-origin-opener-policy>
|
||||
When enabled adds the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy[Cross-Origin-Opener-Policy] header to the response.
|
||||
|
||||
|
||||
[[nsa-cross-origin-opener-policy-attributes]]
|
||||
===== <cross-origin-opener-policy> Attributes
|
||||
|
||||
[[nsa-cross-origin-opener-policy-policy]]
|
||||
* **policy**
|
||||
The policy for the `Cross-Origin-Opener-Policy` header.
|
||||
|
||||
[[nsa-cross-origin-opener-policy-parents]]
|
||||
===== Parent Elements of <cross-origin-opener-policy>
|
||||
|
||||
|
||||
* <<nsa-headers,headers>>
|
||||
|
||||
|
||||
|
||||
[[nsa-cross-origin-resource-policy]]
|
||||
==== <cross-origin-resource-policy>
|
||||
When enabled adds the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy[Cross-Origin-Resource-Policy] header to the response.
|
||||
|
||||
|
||||
[[nsa-cross-origin-resource-policy-attributes]]
|
||||
===== <cross-origin-resource-policy> Attributes
|
||||
|
||||
[[nsa-cross-origin-resource-policy-policy]]
|
||||
* **policy**
|
||||
The policy for the `Cross-Origin-Resource-Policy` header.
|
||||
|
||||
[[nsa-cross-origin-resource-policy-parents]]
|
||||
===== Parent Elements of <cross-origin-resource-policy>
|
||||
|
||||
|
||||
* <<nsa-headers,headers>>
|
||||
|
||||
|
||||
|
||||
[[nsa-header]]
|
||||
== <header>
|
||||
Add additional headers to the response, both the name and value need to be specified.
|
||||
|
||||
@@ -938,6 +938,67 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
|
||||
----
|
||||
====
|
||||
|
||||
[[servlet-headers-cross-origin-policies]]
|
||||
== Cross-Origin Policies
|
||||
|
||||
Spring Security provides built-in support for adding some Cross-Origin policies headers, those headers are:
|
||||
|
||||
[source]
|
||||
----
|
||||
Cross-Origin-Opener-Policy
|
||||
Cross-Origin-Embedder-Policy
|
||||
Cross-Origin-Resource-Policy
|
||||
----
|
||||
|
||||
Spring Security does not add <<headers-cross-origin-policies,Cross-Origin Policies>> headers by default.
|
||||
The headers can be added with the following configuration:
|
||||
|
||||
.Cross-Origin Policies
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableWebSecurity
|
||||
public class WebSecurityConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain securityFilterChain(HttpSecurity http) {
|
||||
http.headers((headers) -> headers
|
||||
.crossOriginOpenerPolicy(CrossOriginOpenerPolicy.SAME_ORIGIN)
|
||||
.crossOriginEmbedderPolicy(CrossOriginEmbedderPolicy.REQUIRE_CORP)
|
||||
.crossOriginResourcePolicy(CrossOriginResourcePolicy.SAME_ORIGIN)));
|
||||
return http.build();
|
||||
}
|
||||
}
|
||||
----
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableWebSecurity
|
||||
open class CrossOriginPoliciesConfig {
|
||||
@Bean
|
||||
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
headers {
|
||||
crossOriginOpenerPolicy(CrossOriginOpenerPolicy.SAME_ORIGIN)
|
||||
crossOriginEmbedderPolicy(CrossOriginEmbedderPolicy.REQUIRE_CORP)
|
||||
crossOriginResourcePolicy(CrossOriginResourcePolicy.SAME_ORIGIN)
|
||||
}
|
||||
}
|
||||
return http.build()
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
This configuration will write the headers with the values provided:
|
||||
[source]
|
||||
----
|
||||
Cross-Origin-Opener-Policy: same-origin
|
||||
Cross-Origin-Embedder-Policy: require-corp
|
||||
Cross-Origin-Resource-Policy: same-origin
|
||||
----
|
||||
|
||||
[[servlet-headers-custom]]
|
||||
== Custom Headers
|
||||
Spring Security has mechanisms to make it convenient to add the more common security headers to your application.
|
||||
|
||||
Reference in New Issue
Block a user