Added CSP to prevent iframe embedding of gui2 and swagger ui
Change-Id: I77c5524cbb80f8f06de5f1cba8412cfb58a36324
diff --git a/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java b/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java
index b9ee57b..1917ea1 100644
--- a/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java
+++ b/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java
@@ -46,6 +46,8 @@
public class ApiDocResource extends AbstractInjectionResource {
private static final String CONTENT_TYPE = "Content-Type";
+ private static final String CONTENT_SECURITY_POLICY = "Content-Security-Policy";
+ private static final String FRAME_ANCESTORS_NONE = "frame-ancestors 'none'";
private static final String STYLESHEET = "text/css";
private static final String SCRIPT = "text/javascript";
private static final String DOCS = "/docs/";
@@ -140,7 +142,8 @@
stream(index, p1e, p2s)));
return ok(new SequenceInputStream(streams))
- .header(CONTENT_TYPE, TEXT_HTML).build();
+ .header(CONTENT_TYPE, TEXT_HTML)
+ .header(CONTENT_SECURITY_POLICY, FRAME_ANCESTORS_NONE).build();
}
private InputStream includeOptions(ApiDocService service) {
diff --git a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
index 64c4f28..3441cbf 100644
--- a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
+++ b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
@@ -52,6 +52,9 @@
private static final String INDEX = "index.html";
private static final String NOT_READY = "not-ready.html";
+ private static final String CONTENT_SECURITY_POLICY = "Content-Security-Policy";
+ private static final String FRAME_ANCESTORS_NONE = "frame-ancestors 'none'";
+
private static final String INJECT_USER_START = "<!-- {INJECTED-USER-START} -->";
private static final String INJECT_USER_END = "<!-- {INJECTED-USER-END} -->";
@@ -114,7 +117,9 @@
new ByteArrayInputStream(SCRIPT_END),
stream(index, p0e, p3s)));
- return Response.ok(new SequenceInputStream(streams)).build();
+ return Response.ok(new SequenceInputStream(streams))
+ .header(CONTENT_SECURITY_POLICY, FRAME_ANCESTORS_NONE)
+ .build();
}
private InputStream userConsoleLog(String userName) {