CSP: send different headera for /collection/{slug} and other pages.

Addressed to #226

Author: php-coder

src/main/java/ru/mystamps/web/support/spring/security/SecurityConfig.java

@@ -46,6 +46,11 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
+import org.springframework.security.web.header.HeaderWriter;
+import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter;
+import org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 
 import ru.mystamps.web.Url;
 import ru.mystamps.web.config.ServicesConfig;
@@ -117,39 +122,22 @@ protected void configure(HttpSecurity http) throws Exception {
 				.disable()
 			.headers()
 				.defaultsDisabled() // TODO
-				.contentSecurityPolicy(
-					// default policy prevents loading resources from any source
-					"default-src 'none'; "
-					// 'self' is required for: our own CSS files
-					// 'https://cdn.rawgit.com' is required for: languages.min.css (TODO: GH #246)
-					// 'https://www.gstatic.com' is required for: Google Charts on collection page.
-					// 'sha256-Dpm...' is required for: 'box-shadow: none; border: 0px;' inline CSS
-					// that are using on /series/add and /series/{id} pages.
-					// 'sha256-/kX...' is required for: 'overflow: hidden;' inline CSS that is using
-					// bg Google Charts on collection page.
-					+ "style-src 'self' https://cdn.rawgit.com https://www.gstatic.com "
-						+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU=' "
-						+ "'sha256-/kXZODfqoc2myS1eI6wr0HH8lUt+vRhW8H/oL+YJcMg='; "
-					// 'self' is required for: our own JS files
-					// 'unsafe-inline' is required for: jquery.min.js (that is using code inside of
-					// event handlers. We can't use hashing algorithms because they aren't supported
-					// for handlers. In future, we should get rid of jQuery or use
-					// 'unsafe-hashed-attributes' from CSP3. Details:
-					// https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
-					// and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
-					// 'unsafe-eval' is required for: loader.js (for Google Charts)
-					// 'https://www.gstatic.com' is required for: Google Charts on collection page.
-					+ "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com; "
-					// 'self' is required for: AJAX requests from our scripts (country suggestions)
-					+ "connect-src 'self'; "
-					// 'self' is required for: uploaded images and its previews
-					// 'https://cdn.rawgit.com' is required for: languages.png (TODO: GH #246)
-					// 'https://raw.githubusercontent.com' is required for: languages.png
-					+ "img-src 'self' https://cdn.rawgit.com https://raw.githubusercontent.com; "
-					// 'self' is required for: glyphicons-halflings-regular.woff2 from bootstrap
-					+ "font-src 'self'; "
-					+ "report-uri https://mystamps.report-uri.io/r/default/csp/reportOnly"
-				).reportOnly();
+				.addHeaderWriter(
+					new DelegatingRequestMatcherHeaderWriter(
+						new NegatedRequestMatcher(
+							new AntPathRequestMatcher(
+								Url.INFO_COLLECTION_PAGE.replace("{slug}", "**")
+							)
+						),
+						getCspForCommonPages()
+					)
+				)
+				.addHeaderWriter(
+					new DelegatingRequestMatcherHeaderWriter(
+						new AntPathRequestMatcher(Url.INFO_COLLECTION_PAGE.replace("{slug}", "**")),
+						getCspForCollectionInfoPage()
+					)
+				);
 	}
 
 	// Used in ServicesConfig.getUserService()
@@ -210,4 +198,74 @@ private UserDetailsService getUserDetailsService() {
 		return new CustomUserDetailsService(servicesConfig.getUserService());
 	}
 
+	private HeaderWriter getCspForCommonPages() {
+		ContentSecurityPolicyHeaderWriter writer = new ContentSecurityPolicyHeaderWriter(
+			// default policy prevents loading resources from any source
+			"default-src 'none'; "
+			// 'self' is required for: our own CSS files
+			// 'https://cdn.rawgit.com' is required for: languages.min.css (TODO: GH #246)
+			// 'sha256-Dpm...' is required for: 'box-shadow: none; border: 0px;' inline CSS
+			// that are using on /series/add and /series/{id} pages.
+			+ "style-src 'self' https://cdn.rawgit.com "
+				+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='; "
+			// 'self' is required for: our own JS files
+			// 'unsafe-inline' is required for: jquery.min.js (that is using code inside of
+			// event handlers. We can't use hashing algorithms because they aren't supported
+			// for handlers. In future, we should get rid of jQuery or use
+			// 'unsafe-hashed-attributes' from CSP3. Details:
+			// https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
+			// and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
+			+ "script-src 'self' 'unsafe-inline'; "
+			// 'self' is required for: AJAX requests from our scripts (country suggestions)
+			+ "connect-src 'self'; "
+			// 'self' is required for: uploaded images and its previews
+			// 'https://cdn.rawgit.com' is required for: languages.png (TODO: GH #246)
+			// 'https://raw.githubusercontent.com' is required for: languages.png
+			+ "img-src 'self' https://cdn.rawgit.com https://raw.githubusercontent.com; "
+			// 'self' is required for: glyphicons-halflings-regular.woff2 from bootstrap
+			+ "font-src 'self'; "
+			+ "report-uri https://mystamps.report-uri.io/r/default/csp/reportOnly"
+		);
+		writer.setReportOnly(true);
+		return writer;
+	}
+	
+	private HeaderWriter getCspForCollectionInfoPage() {
+		ContentSecurityPolicyHeaderWriter writer = new ContentSecurityPolicyHeaderWriter(
+			// default policy prevents loading resources from any source
+			"default-src 'none'; "
+			// 'self' is required for: our own CSS files
+			// 'https://cdn.rawgit.com' is required for: languages.min.css (TODO: GH #246)
+			// 'https://www.gstatic.com' is required for: Google Charts on collection page.
+			// 'sha256-Dpm...' is required for: 'box-shadow: none; border: 0px;' inline CSS
+			// that are using on /series/add and /series/{id} pages.
+			// 'sha256-/kX...' is required for: 'overflow: hidden;' inline CSS that is using
+			// bg Google Charts on collection page.
+			+ "style-src 'self' https://cdn.rawgit.com https://www.gstatic.com "
+				+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU=' "
+				+ "'sha256-/kXZODfqoc2myS1eI6wr0HH8lUt+vRhW8H/oL+YJcMg='; "
+			// 'self' is required for: our own JS files
+			// 'unsafe-inline' is required for: jquery.min.js (that is using code inside of
+			// event handlers. We can't use hashing algorithms because they aren't supported
+			// for handlers. In future, we should get rid of jQuery or use
+			// 'unsafe-hashed-attributes' from CSP3. Details:
+			// https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
+			// and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
+			// 'unsafe-eval' is required for: loader.js (for Google Charts)
+			// 'https://www.gstatic.com' is required for: Google Charts on collection page.
+			+ "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com; "
+			// 'self' is required for: AJAX requests from our scripts (country suggestions)
+			+ "connect-src 'self'; "
+			// 'self' is required for: uploaded images and its previews
+			// 'https://cdn.rawgit.com' is required for: languages.png (TODO: GH #246)
+			// 'https://raw.githubusercontent.com' is required for: languages.png
+			+ "img-src 'self' https://cdn.rawgit.com https://raw.githubusercontent.com; "
+			// 'self' is required for: glyphicons-halflings-regular.woff2 from bootstrap
+			+ "font-src 'self'; "
+			+ "report-uri https://mystamps.report-uri.io/r/default/csp/reportOnly"
+		);
+		writer.setReportOnly(true);
+		return writer;
+	}
+	
 }