Implemented HttpResponseHeadersFilter to set the CSP frame ancestors header to prevent iframe embedding Change-Id: Ib58e452e291c4df407d30e8b914ab6aa20ae77bc

commit: de3e6f52c814f50d6696bf84d363f762e8ee6fab [log] [tgz]
author: Lakshya Thakur <lapstjup@gmail.com> Sun Nov 29 23:54:24 2020 +0530
committer: Sean Condon <sean@opennetworking.org> Wed Dec 02 07:32:43 2020 +0000
tree: 4874a3568a6cf39a60f08dffccfac454ee02e8e0
parent: 74f589ef615394454a4f8a399b8e1b5f262ecea8 [diff]
diff --git a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/HttpResponseHeadersFilter.java b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/HttpResponseHeadersFilter.java
new file mode 100644
index 0000000..68e4ac2
--- /dev/null
+++ b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/HttpResponseHeadersFilter.java

@@ -0,0 +1,29 @@
+package org.onosproject.ui.impl.gui2;
+ 
+import java.io.IOException;
+ 
+import javax.servlet.Filter;  
+import javax.servlet.FilterConfig;  
+import javax.servlet.FilterChain; 
+import javax.servlet.ServletException; 
+import javax.servlet.ServletRequest; 
+import javax.servlet.ServletResponse; 
+import javax.servlet.http.HttpServletResponse;
+ 
+ 
+public class HttpResponseHeadersFilter implements Filter {
+	
+    @Override
+    public void init(FilterConfig filterconfig){}
+
+    @Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+	    HttpServletResponse resp = (HttpServletResponse) response;
+        resp.setHeader("Content-Security-Policy", "frame-ancestors 'none'");
+		chain.doFilter(request, resp);
+	}
+
+    @Override
+    public void destroy(){}
+
+}
\ No newline at end of file

diff --git a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
index 3441cbf..64c4f28 100644
--- a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
+++ b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java

@@ -52,9 +52,6 @@
     private static final String INDEX = "index.html";
     private static final String NOT_READY = "not-ready.html";
 
-    private static final String CONTENT_SECURITY_POLICY = "Content-Security-Policy";
-    private static final String FRAME_ANCESTORS_NONE = "frame-ancestors 'none'";
-
     private static final String INJECT_USER_START = "<!-- {INJECTED-USER-START} -->";
     private static final String INJECT_USER_END = "<!-- {INJECTED-USER-END} -->";
 
@@ -117,9 +114,7 @@
                         new ByteArrayInputStream(SCRIPT_END),
                         stream(index, p0e, p3s)));
 
-        return Response.ok(new SequenceInputStream(streams))
-                       .header(CONTENT_SECURITY_POLICY, FRAME_ANCESTORS_NONE)
-                       .build();
+        return Response.ok(new SequenceInputStream(streams)).build();
     }
 
     private InputStream userConsoleLog(String userName) {
commit	de3e6f52c814f50d6696bf84d363f762e8ee6fab	[log] [tgz]
author	Lakshya Thakur <lapstjup@gmail.com>	Sun Nov 29 23:54:24 2020 +0530
committer	Sean Condon <sean@opennetworking.org>	Wed Dec 02 07:32:43 2020 +0000
tree	4874a3568a6cf39a60f08dffccfac454ee02e8e0
parent	74f589ef615394454a4f8a399b8e1b5f262ecea8 [diff]