filter.xml

markt Fri, 08 May 2015 12:04:13 -0700

Author: markt
Date: Fri May  8 19:03:39 2015
New Revision: 1678427

URL: http://svn.apache.org/r1678427
Log:
Add support for blocking content type sniffing


Modified:
    tomcat/trunk/conf/web.xml
    tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
    tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
    tomcat/trunk/webapps/docs/config/filter.xml

Modified: tomcat/trunk/conf/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/conf/web.xml (original)
+++ tomcat/trunk/conf/web.xml Fri May  8 19:03:39 2015
@@ -423,6 +423,10 @@
   <!--                                                                      -->
   <!--   antiClickJackingUri IF ALLOW-FROM is used, what URI should be      -->
   <!--                       allowed? []                                    -->
+  <!--                                                                      -->
+  <!--   blockContentTypeSniffingEnabled                                    -->
+  <!--                       Should the header that blocks content type     -->
+  <!--                       sniffing be added to every response? [true]    -->
     <filter>
         <filter-name>httpHeaderSecurity</filter-name>
         
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

Modified: 
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java 
Fri May  8 19:03:39 2015
@@ -52,6 +52,11 @@ public class HttpHeaderSecurityFilter ex
     private URI antiClickJackingUri;
     private String antiClickJackingHeaderValue;
 
+    // Block content sniffing
+    private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME = 
"X-Content-Type-Options";
+    private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = 
"nosniff";
+    private boolean blockContentTypeSniffingEnabled = true;
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
         super.init(filterConfig);
@@ -93,6 +98,11 @@ public class HttpHeaderSecurityFilter ex
                     ANTI_CLICK_JACKING_HEADER_NAME, 
antiClickJackingHeaderValue);
         }
 
+        // Block content type sniffing
+        if (blockContentTypeSniffingEnabled && response instanceof 
HttpServletResponse) {
+            ((HttpServletResponse) 
response).addHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
+                    BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
+        }
         chain.doFilter(request, response);
     }
 
@@ -163,7 +173,6 @@ public class HttpHeaderSecurityFilter ex
     }
 
 
-
     public void setAntiClickJackingOption(String antiClickJackingOption) {
         for (XFrameOption option : XFrameOption.values()) {
             if 
(option.getHeaderValue().equalsIgnoreCase(antiClickJackingOption)) {
@@ -171,8 +180,8 @@ public class HttpHeaderSecurityFilter ex
                 return;
             }
         }
-        // TODO i18n
-        throw new IllegalArgumentException();
+        throw new IllegalArgumentException(
+                sm.getString("httpHeaderSecurityFilter.clickjack.invalid", 
antiClickJackingOption));
     }
 
 
@@ -182,6 +191,16 @@ public class HttpHeaderSecurityFilter ex
     }
 
 
+    public boolean isBlockContentTypeSniffingEnabled() {
+        return blockContentTypeSniffingEnabled;
+    }
+
+
+    public void setBlockContentTypeSniffingEnabled(
+            boolean blockContentTypeSniffingEnabled) {
+        this.blockContentTypeSniffingEnabled = blockContentTypeSniffingEnabled;
+    }
+
 
     public void setAntiClickJackingUri(String antiClickJackingUri) {
         URI uri;

Modified: tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/LocalStrings.properties Fri 
May  8 19:03:39 2015
@@ -41,4 +41,6 @@ expiresFilter.expirationHeaderAlreadyDef
 expiresFilter.skippedStatusCode=Request "{0}" with response status "{1}" 
content-type "{1}", skip expiration header generation for given status
 
 httpHeaderSecurityFilter.committed=Unable to add HTTP headers since response 
is already committed on entry to the HTTP header security Filter
+httpHeaderSecurityFilter.clickjack.invalid=An invalid value [{0}] was 
specified for the anti click-jacking header
+
 remoteIpFilter.invalidLocation=Failed to modify the rewrite location [{0}] to 
use scheme [{1}] and port [{2}]
\ No newline at end of file

Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1678427&r1=1678426&r2=1678427&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Fri May  8 19:03:39 2015
@@ -761,6 +761,12 @@ FINE: Request "/docs/config/manager.html
         empty string will be used.</p>
       </attribute>
 
+      <attribute name="blockContentTypeSniffingEnabled" required="false">
+        <p>Should the header that blocks content type sniffing be added to 
every
+        response. If not specified, the default value of <code>true</code> will
+        be used.</p>
+      </attribute>
+
     </attributes>
 
   </subsection>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1678427 - in /tomcat/trunk: conf/web.xml java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java java/org/apache/catalina/filters/LocalStrings.properties webapps/docs/config/filter.xml

Reply via email to