Author: markt
Date: Fri Jan 1 18:10:02 2016
New Revision: 1722522
URL: http://svn.apache.org/viewvc?rev=1722522&view=rev
Log:
Add support for the X-XSS-Protection header to the HttpHeaderSecurityFilter.
Patch provided by Jacopo Cappellato.
Modified:
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/filter.xml
Modified:
tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java?rev=1722522&r1=1722521&r2=1722522&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
Fri Jan 1 18:10:02 2016
@@ -57,6 +57,11 @@ public class HttpHeaderSecurityFilter ex
private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE =
"nosniff";
private boolean blockContentTypeSniffingEnabled = true;
+ // Cross-site scripting filter protection
+ private static final String XSS_PROTECTION_HEADER_NAME =
"X-XSS-Protection";
+ private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block";
+ private boolean xssProtectionEnabled = true;
+
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
@@ -103,6 +108,13 @@ public class HttpHeaderSecurityFilter ex
((HttpServletResponse)
response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
}
+
+ // cross-site scripting filter protection
+ if (xssProtectionEnabled && response instanceof HttpServletResponse) {
+ ((HttpServletResponse)
response).setHeader(XSS_PROTECTION_HEADER_NAME,
+ XSS_PROTECTION_HEADER_VALUE);
+ }
+
chain.doFilter(request, response);
}
@@ -212,6 +224,13 @@ public class HttpHeaderSecurityFilter ex
this.antiClickJackingUri = uri;
}
+ public boolean isXssProtectionEnabled() {
+ return xssProtectionEnabled;
+ }
+
+ public void setXssProtectionEnabled(boolean xssProtectionEnabled) {
+ this.xssProtectionEnabled = xssProtectionEnabled;
+ }
private static enum XFrameOption {
DENY("DENY"),
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1722522&r1=1722521&r2=1722522&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Jan 1 18:10:02 2016
@@ -150,6 +150,11 @@
<fix>
Fixed various issues reported by Findbugs. (violetagg)
</fix>
+ <fix>
+ <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code>
+ header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by
+ Jacopo Cappellato. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1722522&r1=1722521&r2=1722522&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Fri Jan 1 18:10:02 2016
@@ -926,6 +926,14 @@ FINE: Request "/docs/config/manager.html
default value of <code>true</code> will be used.</p>
</attribute>
+ <attribute name="xssProtectionEnabled" required="false">
+ <p>Should the header that enables the browser's cross-site scripting
+ filter protection (<code>X-XSS-Protection: 1; mode=block</code>)
+ be set on every response. If already present, the header
+ will be replaced. If not specified, the default value of
+ <code>true</code> will be used.</p>
+ </attribute>
+
</attributes>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
