Implemented HttpResponseHeadersFilter to set the CSP frame ancestors header to prevent iframe embedding
Change-Id: Ib58e452e291c4df407d30e8b914ab6aa20ae77bc
diff --git a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/HttpResponseHeadersFilter.java b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/HttpResponseHeadersFilter.java
new file mode 100644
index 0000000..68e4ac2
--- /dev/null
+++ b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/HttpResponseHeadersFilter.java
@@ -0,0 +1,29 @@
+package org.onosproject.ui.impl.gui2;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+
+
+public class HttpResponseHeadersFilter implements Filter {
+
+ @Override
+ public void init(FilterConfig filterconfig){}
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+ HttpServletResponse resp = (HttpServletResponse) response;
+ resp.setHeader("Content-Security-Policy", "frame-ancestors 'none'");
+ chain.doFilter(request, resp);
+ }
+
+ @Override
+ public void destroy(){}
+
+}
\ No newline at end of file
diff --git a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
index 3441cbf..64c4f28 100644
--- a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
+++ b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
@@ -52,9 +52,6 @@
private static final String INDEX = "index.html";
private static final String NOT_READY = "not-ready.html";
- private static final String CONTENT_SECURITY_POLICY = "Content-Security-Policy";
- private static final String FRAME_ANCESTORS_NONE = "frame-ancestors 'none'";
-
private static final String INJECT_USER_START = "<!-- {INJECTED-USER-START} -->";
private static final String INJECT_USER_END = "<!-- {INJECTED-USER-END} -->";
@@ -117,9 +114,7 @@
new ByteArrayInputStream(SCRIPT_END),
stream(index, p0e, p3s)));
- return Response.ok(new SequenceInputStream(streams))
- .header(CONTENT_SECURITY_POLICY, FRAME_ANCESTORS_NONE)
- .build();
+ return Response.ok(new SequenceInputStream(streams)).build();
}
private InputStream userConsoleLog(String userName) {
diff --git a/web/gui2/src/main/webapp/WEB-INF/web.xml b/web/gui2/src/main/webapp/WEB-INF/web.xml
index 2543df8..fdcd422 100644
--- a/web/gui2/src/main/webapp/WEB-INF/web.xml
+++ b/web/gui2/src/main/webapp/WEB-INF/web.xml
@@ -21,6 +21,16 @@
id="ONOS" version="2.5">
<display-name>ONOS GUI 2</display-name>
+ <filter>
+ <filter-name>Http Response Headers Filter</filter-name>
+ <filter-class>org.onosproject.ui.impl.gui2.HttpResponseHeadersFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>Http Response Headers Filter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>