-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 3/24/20 17:51, Mark Thomas wrote: > On 24/03/2020 21:28, Christopher Schultz wrote: >> All, >> >> While replying to James's recent message about this filter's >> anti click-jacking features[1], I was surprised to see that this >> filter does not have any support for the Content-Security-Policy >> header. >> >> Adding such support would be fairly simple: simply add a >> "contentSecurityPolicy" attribute which gets dumped-out to every >> response as a Content-Security-Policy header. >> >> Any votes for/against? > > See: https://bz.apache.org/bugzilla/show_bug.cgi?id=58837 > > No objections to your proposal. I do wonder about the more general > solution but I don't see that as a reason not to do this. My 2018 self was a little more skeptical. 2020 me thinks that it's useful to bundle this into HttpHeaderSecurityFilter. CSP is a single header, not a quite of things like the anti-clickjacking ended up being. Using url-rewrite for a single header is unnecessarily complex. Using Tomcat's rewrite for a single header might be reasonable, except that we already have a Filter essentially built for this kind of thing. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl57dfMACgkQHPApP6U8 pFgG9A/+IuZbYcvNvi63rwVWWXk9G83mPlKTXbL0mkk5IKPm3mzXjMEdGPS8h79r 2F3iaEcl8lcrjmD+RFf3isAp0vrowhdlMbzSRXUtnWWdCPG3lQK2khZ0DmglNoyc IA0mwd/B6ojVDYGEiZ8xEcqj6Tfez5xHEv1XW2E6ZF1VQRZtZbzLSeXHgOpK5Y/k 5cSEX+Pw/M+oyfU45xl0WKYHy3hq+pzfv07RMxUk9dGwXcIq5BYCIXV2cMrFj0qs smjJ0Gn5nYU3yqzid2e/fVRTUv6SFDOxnTfya2Az0vzRvLnBoLiXtM3dlouD4Afl 5RYBTZdpX9ewV+Ra7Gz4SwuUvyHA2l4TAwAIPI84Bx5Iyz1hQYtEWUqi7G2Ae/pR JeSreD/nOWdyXrWfcQZw7hdOgOJQyVm1Rqm9587hEUJZIMnR0HrGH/2o+T3ZP18n Wv63XtYjZrpLzWmr+VrUuJcsz6PcLK76oBLxJ7PyqUMK23ilIV6KHP4fCxLW56hS RFJa9jF937nuB7iP3CU2tx3A1hneqYdpXBNmBCnDcQ2glynoVnzBfJNBXLeO0C8U 7IGrHno1UrzednmDFy7XJxNHbJeYprmnM7X06Cbcy+Thiv4PYTUAKW/JD7hjJX+5 wVrNUuV8hiGUHe/0+sIRwlEftOUkMNiary/soodCLjdNvYyjuXY= =ppvG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
