chore: include a sample of violated code into CSP report.

php-coder · php-coder · commit bd504b1adfe6 · 2020-01-23T23:19:52.000Z
New expression in CSP3 (https://www.w3.org/TR/CSP3/#changes-from-level-2): % Reports generated for inline violations will contain a sample attribute if the relevant directive contains the 'report-sample' expression. % Address to #226
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java b/src/main/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriter.java
@@ -68,7 +68,7 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	private static final String REPORT_URI = "report-uri ";
 	
 	// - 'https://cdn.jsdelivr.net' is required by languages.min.css (FIXME: GH #246)
-	private static final String STYLE_SRC = "style-src https://cdn.jsdelivr.net ";
+	private static final String STYLE_SRC = "style-src 'report-sample' https://cdn.jsdelivr.net ";
 	
 	// - 'self' is required for our own CSS files
 	private static final String STYLES_SELF = "'self'";
@@ -126,7 +126,7 @@ class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
 	// 'unsafe-hashed-attributes' from CSP3. Details:
 	// https://github.com/jquery/jquery/blob/d71f6a53927ad02d/jquery.js#L1441-L1447
 	// and https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage)
-	private static final String SCRIPT_SRC = "script-src 'unsafe-inline' ";
+	private static final String SCRIPT_SRC = "script-src 'report-sample' 'unsafe-inline' ";
 	
 	// - 'self' is required for our own JS files
 	private static final String SCRIPTS_SELF = "'self'";
diff --git a/src/test/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriterTest.java b/src/test/java/ru/mystamps/web/support/spring/security/ContentSecurityPolicyHeaderWriterTest.java
@@ -70,8 +70,8 @@ public void onIndexPageWithLocalResources() {
 				"img-src https://cdn.jsdelivr.net 'self'",
 				"font-src 'self'",
 				"report-uri http://127.0.0.1:8080/site/csp/reports",
-				"style-src https://cdn.jsdelivr.net 'self'",
-				"script-src 'unsafe-inline' 'self'"
+				"style-src 'report-sample' https://cdn.jsdelivr.net 'self'",
+				"script-src 'report-sample' 'unsafe-inline' 'self'"
 			)
 			.hasSize(NUMBER_OF_DIRECTIVES_ON_STANDARD_PAGES);
 	}
@@ -91,12 +91,14 @@ public void onIndexPageWithResourcesFromCdn() {
 			)
 			.contains(
 				"style-src "
+					+ "'report-sample' "
 					+ "https://cdn.jsdelivr.net "
 					+ "https://stamps.filezz.ru "
 					+ "https://maxcdn.bootstrapcdn.com"
 			)
 			.contains(
 				"script-src "
+					+ "'report-sample' "
 					+ "'unsafe-inline' "
 					+ "https://stamps.filezz.ru "
 					+ "https://maxcdn.bootstrapcdn.com "
@@ -115,13 +117,15 @@ public void onCollectionInfoPageWithLocalResources() {
 		assertThat(directives)
 			.contains(
 				"style-src "
+					+ "'report-sample' "
 					+ "https://cdn.jsdelivr.net "
 					+ "'self' "
 					+ "https://www.gstatic.com "
 					+ "'sha256-/kXZODfqoc2myS1eI6wr0HH8lUt+vRhW8H/oL+YJcMg='"
 			)
 			.contains(
 				"script-src "
+					+ "'report-sample' "
 					+ "'unsafe-inline' "
 					+ "'self' "
 					+ "'unsafe-eval' "
@@ -141,6 +145,7 @@ public void onCollectionInfoPageWithResourcesFromCdn() {
 		assertThat(directives)
 			.contains(
 				"style-src "
+					+ "'report-sample' "
 					+ "https://cdn.jsdelivr.net "
 					+ "https://stamps.filezz.ru "
 					+ "https://maxcdn.bootstrapcdn.com "
@@ -149,6 +154,7 @@ public void onCollectionInfoPageWithResourcesFromCdn() {
 			)
 			.contains(
 				"script-src "
+					+ "'report-sample' "
 					+ "'unsafe-inline' "
 					+ "https://stamps.filezz.ru "
 					+ "https://maxcdn.bootstrapcdn.com "
@@ -172,6 +178,7 @@ public void onSeriesAddImagePageWithLocalResources() {
 			assertThat(directives)
 				.contains(
 					"style-src "
+						+ "'report-sample' "
 						+ "https://cdn.jsdelivr.net "
 						+ "'self' "
 						+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='"
@@ -194,13 +201,15 @@ public void onSeriesAddImagePageWithResourcesFromCdn() {
 			assertThat(directives)
 				.contains(
 					"style-src "
+						+ "'report-sample' "
 						+ "https://cdn.jsdelivr.net "
 						+ "https://stamps.filezz.ru "
 						+ "https://maxcdn.bootstrapcdn.com "
 						+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU='"
 				)
 				.contains(
 					"script-src "
+						+ "'report-sample' "
 						+ "'unsafe-inline' "
 						+ "https://stamps.filezz.ru "
 						+ "https://maxcdn.bootstrapcdn.com "
@@ -223,13 +232,15 @@ public void onSeriesAddPageWithLocalResources() {
 		assertThat(directives)
 			.contains(
 				"style-src "
+					+ "'report-sample' "
 					+ "https://cdn.jsdelivr.net "
 					+ "'self' "
 					+ "'sha256-DpmxvnMJIlwkpmmAANZYNzmyfnX2PQCBDO4CB2BFjzU=' "
 					+ "https://cdnjs.cloudflare.com"
 			)
 			.contains(
 				"script-src "
+					+ "'report-sample' "
 					+ "'unsafe-inline' "
 					+ "'self' "
 					+ "https://cdnjs.cloudflare.com"
@@ -249,6 +260,7 @@ public void onSeriesAddPageWithResourcesFromCdn() {
 		assertThat(directives)
 			.contains(
 				"style-src "
+					+ "'report-sample' "
 					+ "https://cdn.jsdelivr.net "
 					+ "https://stamps.filezz.ru "
 					+ "https://maxcdn.bootstrapcdn.com "
@@ -257,6 +269,7 @@ public void onSeriesAddPageWithResourcesFromCdn() {
 			)
 			.contains(
 				"script-src "
+					+ "'report-sample' "
 					+ "'unsafe-inline' "
 					+ "https://stamps.filezz.ru "
 					+ "https://maxcdn.bootstrapcdn.com "
@@ -278,6 +291,7 @@ public void onH2ConsoleWithLocalResources() {
 		assertThat(directives).
 			contains(
 				"style-src "
+					+ "'report-sample' "
 					+ "https://cdn.jsdelivr.net"
 					+ " 'self'"
 					+ " 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog='"
@@ -309,6 +323,7 @@ public void onH2ConsoleWithResourcesFromCdn() {
 			// "style-src" directive should be the same as for the index page
 			.contains(
 				"style-src "
+					+ "'report-sample' "
 					+ "https://cdn.jsdelivr.net "
 					+ "https://stamps.filezz.ru "
 					+ "https://maxcdn.bootstrapcdn.com"
