Skip to content

Commit c3ee90e

Browse files
php-coderphp-coder
committed
CSP: adjust configuration to use images from external host on prod.
Addressed to #226
1 parent d63e5a1 commit c3ee90e

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,11 +42,16 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
4242
// default policy prevents loading resources from any source
4343
private static final String DEFAULT_SRC = "default-src 'none'";
4444

45-
// - 'self' is required for uploaded images and its previews
4645
// - 'https://cdn.rawgit.com' is required by languages.png (TODO: GH #246)
4746
// - 'https://raw.githubusercontent.com' is required by languages.png
4847
// CheckStyle: ignore LineLength for next 1 line
49-
private static final String IMG_SRC = "img-src 'self' https://cdn.rawgit.com https://raw.githubusercontent.com";
48+
private static final String IMG_SRC = "img-src https://cdn.rawgit.com https://raw.githubusercontent.com";
49+
50+
// - 'self' is required for uploaded images and its previews
51+
private static final String IMG_SRC_SELF = " 'self'";
52+
53+
// - 'https://stamps.filezz.ru' is required for uploaded images and its previews
54+
private static final String IMG_SRC_CDN = " https://stamps.filezz.ru";
5055

5156
// - 'self' is required by glyphicons-halflings-regular.woff2 from bootstrap
5257
private static final String FONT_SRC_SELF = "font-src 'self'";
@@ -128,14 +133,14 @@ public void writeHeaders(HttpServletRequest request, HttpServletResponse respons
128133
response.setHeader("Content-Security-Policy-Report-Only", constructDirectives(uri));
129134
}
130135

131-
@SuppressWarnings("PMD.NPathComplexity")
136+
@SuppressWarnings({ "PMD.NPathComplexity", "PMD.ModifiedCyclomaticComplexity" })
132137
private String constructDirectives(String uri) {
133138
boolean onCollectionInfoPage = uri.startsWith(COLLECTION_INFO_PAGE_PATTERN);
134139

135140
StringBuilder sb = new StringBuilder(MIN_HEADER_LENGTH);
136141

137142
sb.append(DEFAULT_SRC).append(SEPARATOR)
138-
.append(IMG_SRC).append(SEPARATOR)
143+
.append(IMG_SRC).append(useSingleHost ? IMG_SRC_SELF : IMG_SRC_CDN).append(SEPARATOR)
139144
.append(useSingleHost ? FONT_SRC_SELF : FONT_SRC_CDN).append(SEPARATOR)
140145
.append(REPORT_URI).append(SEPARATOR)
141146
.append(STYLE_SRC)

0 commit comments

Comments
 (0)