Added CSP to prevent iframe embedding of gui2 and swagger ui Change-Id: I77c5524cbb80f8f06de5f1cba8412cfb58a36324

commit: f111f57be9b01132a769eb22d8512b24070c48ff [log] [tgz]
author: Lakshya Thakur <lapstjup@gmail.com> Fri Nov 27 23:42:51 2020 +0530
committer: Lakshya Thakur <lapstjup@gmail.com> Fri Nov 27 23:47:55 2020 +0530
tree: 2ada4e6b889d6b97a9e2c0e6acbc3aca9f6c660c
parent: 63cb1a8da31490594dc6e8c35f93f5d7fb25d064 [diff]
diff --git a/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java b/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java
index b9ee57b..1917ea1 100644
--- a/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java
+++ b/web/api/src/main/java/org/onosproject/rest/resources/ApiDocResource.java

@@ -46,6 +46,8 @@
 public class ApiDocResource extends AbstractInjectionResource {
 
     private static final String CONTENT_TYPE = "Content-Type";
+    private static final String CONTENT_SECURITY_POLICY = "Content-Security-Policy";
+    private static final String FRAME_ANCESTORS_NONE = "frame-ancestors 'none'";
     private static final String STYLESHEET = "text/css";
     private static final String SCRIPT = "text/javascript";
     private static final String DOCS = "/docs/";
@@ -140,7 +142,8 @@
                                          stream(index, p1e, p2s)));
 
         return ok(new SequenceInputStream(streams))
-                .header(CONTENT_TYPE, TEXT_HTML).build();
+                .header(CONTENT_TYPE, TEXT_HTML)
+                .header(CONTENT_SECURITY_POLICY, FRAME_ANCESTORS_NONE).build();
     }
 
     private InputStream includeOptions(ApiDocService service) {

diff --git a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
index 64c4f28..3441cbf 100644
--- a/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java
+++ b/web/gui2/src/main/java/org/onosproject/ui/impl/gui2/MainIndexResource.java

@@ -52,6 +52,9 @@
     private static final String INDEX = "index.html";
     private static final String NOT_READY = "not-ready.html";
 
+    private static final String CONTENT_SECURITY_POLICY = "Content-Security-Policy";
+    private static final String FRAME_ANCESTORS_NONE = "frame-ancestors 'none'";
+
     private static final String INJECT_USER_START = "<!-- {INJECTED-USER-START} -->";
     private static final String INJECT_USER_END = "<!-- {INJECTED-USER-END} -->";
 
@@ -114,7 +117,9 @@
                         new ByteArrayInputStream(SCRIPT_END),
                         stream(index, p0e, p3s)));
 
-        return Response.ok(new SequenceInputStream(streams)).build();
+        return Response.ok(new SequenceInputStream(streams))
+                       .header(CONTENT_SECURITY_POLICY, FRAME_ANCESTORS_NONE)
+                       .build();
     }
 
     private InputStream userConsoleLog(String userName) {
commit	f111f57be9b01132a769eb22d8512b24070c48ff	[log] [tgz]
author	Lakshya Thakur <lapstjup@gmail.com>	Fri Nov 27 23:42:51 2020 +0530
committer	Lakshya Thakur <lapstjup@gmail.com>	Fri Nov 27 23:47:55 2020 +0530
tree	2ada4e6b889d6b97a9e2c0e6acbc3aca9f6c660c
parent	63cb1a8da31490594dc6e8c35f93f5d7fb25d064 [diff]