CSP: adjust configuration to use selectizejs from CDN on prod.

php-coder · php-coder · commit 7e5f02e27852 · 2017-09-22T02:21:43.000+02:00
Addressed to #226
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java b/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java
@@ -78,6 +78,9 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	private static final String STYLE_SERIES_ADD_IMAGE =
 		" 'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='";
 	
+	// - 'https://cdnjs.cloudflare.com' is required by selectize.min.js
+	private static final String STYLE_SERIES_ADD_PAGE = " https://cdnjs.cloudflare.com";
+	
 	// - 'https://www.gstatic.com' is required by Google Charts
 	// - 'sha256-/kX...' is required for 'overflow: hidden;' inline CSS for Google Charts.
 	private static final String STYLE_COLLECTION_INFO =
@@ -106,6 +109,9 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	private static final String SCRIPTS_CDN =
 		" https://stamps.filezz.ru https://maxcdn.bootstrapcdn.com https://yandex.st";
 	
+	// - 'https://cdnjs.cloudflare.com' is required by selectize.bootstrap3.min.css
+	private static final String SCRIPTS_SERIES_ADD_PAGE = " https://cdnjs.cloudflare.com";
+	
 	// - 'unsafe-eval' is required by loader.js from Google Charts
 	// - 'https://www.gstatic.com' is required by Google Charts
 	private static final String SCRIPT_COLLECTION_INFO = " 'unsafe-eval' https://www.gstatic.com";
@@ -136,6 +142,7 @@ public void writeHeaders(HttpServletRequest request, HttpServletResponse respons
 	@SuppressWarnings({ "PMD.NPathComplexity", "PMD.ModifiedCyclomaticComplexity" })
 	private String constructDirectives(String uri) {
 		boolean onCollectionInfoPage = uri.startsWith(COLLECTION_INFO_PAGE_PATTERN);
+		boolean onAddSeriesPage = uri.equals(Url.ADD_SERIES_PAGE);
 		
 		StringBuilder sb = new StringBuilder(MIN_HEADER_LENGTH);
 		
@@ -149,8 +156,12 @@ private String constructDirectives(String uri) {
 		if (onCollectionInfoPage) {
 			sb.append(STYLE_COLLECTION_INFO);
 		
-		} else if (uri.equals(Url.ADD_SERIES_PAGE) || uri.matches(ADD_IMAGE_PAGE_PATTERN)) {
+		} else if (uri.matches(ADD_IMAGE_PAGE_PATTERN)) {
 			sb.append(STYLE_SERIES_ADD_IMAGE);
+			
+			if (onAddSeriesPage) {
+				sb.append(STYLE_SERIES_ADD_PAGE);
+			}
 		
 		} else if (uri.startsWith(TOGGLZ_PAGES_PATTERN)) {
 			sb.append(STYLE_TOGGLZ);
@@ -164,8 +175,9 @@ private String constructDirectives(String uri) {
 			sb.append(SCRIPT_COLLECTION_INFO);
 		}
 		
-		if (uri.equals(Url.ADD_SERIES_PAGE)) {
-			sb.append(SEPARATOR)
+		if (onAddSeriesPage) {
+			sb.append(SCRIPTS_SERIES_ADD_PAGE)
+			  .append(SEPARATOR)
 			  .append(CONNECT_SRC);
 		}
 		
