Package alpine.server.filters

Class ContentSecurityPolicyFilter

java.lang.Object
alpine.server.filters.ContentSecurityPolicyFilter
All Implemented Interfaces:
javax.servlet.Filter
public final class ContentSecurityPolicyFilter extends Object implements javax.servlet.Filter

Implements W3C Content Security Policy (Level 1 and 2).

This filter is configured via the applications web.xml.

An example implementation in web.xml: 
 <filter>
     <filter-name>CspFilter</filter-name>
     <filter-class>alpine.filters.ContentSecurityPolicyFilter</filter-class>
     <init-param>
         <param-name>default-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>script-src</param-name>
         <param-value>'self' 'unsafe-inline'</param-value>
     </init-param>
     <init-param>
         <param-name>style-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>img-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>connect-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>font-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>object-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>media-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>frame-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>sandbox</param-name>
         <param-value>allow-forms</param-value>
     </init-param>
     <init-param>
         <param-name>report-uri</param-name>
         <param-value>/some-report-uri</param-value>
     </init-param>
     <init-param>
         <param-name>child-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>form-action-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>frame-ancestors</param-name>
         <param-value>'none'</param-value>
     </init-param>
     <init-param>
         <param-name>plugin-types</param-name>
         <param-value>application/pdf</param-value>
     </init-param>
 </filter>
 <filter-mapping>
     <filter-name>CspFilter</filter-name>
     <url-pattern>/*</url-pattern>
 </filter-mapping>

The following parameters default to 'self' if not defined: default-src, script-src, style-src, img-src, font-src, object-src, media-src, child-src and form-action.

The sandbox param defaults to null indicating that the default sandbox will be applied. The report-uri and plugin-types also default to null. frame-ancestors defaults to 'none' if not specified.

Since:
1.0.0
Author:
Steve Springett

  • Constructor Details

    • ContentSecurityPolicyFilter

      public ContentSecurityPolicyFilter()

  • Method Details

    • init

      public void init(javax.servlet.FilterConfig filterConfig)
      Specified by:
      init in interface javax.servlet.Filter

    • doFilter

      public void doFilter(javax.servlet.ServletRequest req, javax.servlet.ServletResponse res, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
      Specified by:
      doFilter in interface javax.servlet.Filter
      Throws:
      IOException
      javax.servlet.ServletException

    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter