ASF Bugzilla – Attachment 33349 Details for
Bug 58735
Add support for X-XSS-Protection header
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
The patch that implements this feature.
HttpHeaderSecurityFilter.patch (text/plain), 1.75 KB, created by
Jacopo Cappellato
on 2015-12-14 18:09:36 UTC
(
hide
)
Description:
The patch that implements this feature.
Filename:
MIME Type:
Creator:
Jacopo Cappellato
Created:
2015-12-14 18:09:36 UTC
Size:
1.75 KB
patch
obsolete
>Index: java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java >=================================================================== >--- java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (revision 1719964) >+++ java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (working copy) >@@ -57,6 +57,11 @@ > private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff"; > private boolean blockContentTypeSniffingEnabled = true; > >+ // Cross-site scripting filter protection >+ private static final String XSS_PROTECTION_HEADER_NAME = "X-XSS-Protection"; >+ private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block"; >+ private boolean xssProtectionEnabled = true; >+ > @Override > public void init(FilterConfig filterConfig) throws ServletException { > super.init(filterConfig); >@@ -103,6 +108,13 @@ > ((HttpServletResponse) response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME, > BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE); > } >+ >+ // cross-site scripting filter protection >+ if (xssProtectionEnabled && response instanceof HttpServletResponse) { >+ ((HttpServletResponse) response).setHeader(XSS_PROTECTION_HEADER_NAME, >+ XSS_PROTECTION_HEADER_VALUE); >+ } >+ > chain.doFilter(request, response); > } > >@@ -212,7 +224,14 @@ > this.antiClickJackingUri = uri; > } > >+ public boolean isXssProtectionEnabled() { >+ return xssProtectionEnabled; >+ } > >+ public void setXssProtectionEnabled(boolean xssProtectionEnabled) { >+ this.xssProtectionEnabled = xssProtectionEnabled; >+ } >+ > private static enum XFrameOption { > DENY("DENY"), > SAME_ORIGIN("SAMEORIGIN"),
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 58735
: 33349 |
33379