View | Details | Raw Unified | Return to bug 58735
Collapse All | Expand All

(-)java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (+19 lines)
Lines 57-62 Link Here
57
    private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff";
57
    private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff";
58
    private boolean blockContentTypeSniffingEnabled = true;
58
    private boolean blockContentTypeSniffingEnabled = true;
59
59
60
    // Cross-site scripting filter protection
61
    private static final String XSS_PROTECTION_HEADER_NAME = "X-XSS-Protection";
62
    private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block";
63
    private boolean xssProtectionEnabled = true;
64
60
    @Override
65
    @Override
61
    public void init(FilterConfig filterConfig) throws ServletException {
66
    public void init(FilterConfig filterConfig) throws ServletException {
62
        super.init(filterConfig);
67
        super.init(filterConfig);
Lines 103-108 Link Here
103
            ((HttpServletResponse) response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
108
            ((HttpServletResponse) response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
104
                    BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
109
                    BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
105
        }
110
        }
111
112
        // cross-site scripting filter protection
113
        if (xssProtectionEnabled && response instanceof HttpServletResponse) {
114
            ((HttpServletResponse) response).setHeader(XSS_PROTECTION_HEADER_NAME,
115
                    XSS_PROTECTION_HEADER_VALUE);
116
        }
117
106
        chain.doFilter(request, response);
118
        chain.doFilter(request, response);
107
    }
119
    }
108
120
Lines 212-218 Link Here
212
        this.antiClickJackingUri = uri;
224
        this.antiClickJackingUri = uri;
213
    }
225
    }
214
226
227
    public boolean isXssProtectionEnabled() {
228
        return xssProtectionEnabled;
229
    }
215
230
231
    public void setXssProtectionEnabled(boolean xssProtectionEnabled) {
232
        this.xssProtectionEnabled = xssProtectionEnabled;
233
    }
234
216
    private static enum XFrameOption {
235
    private static enum XFrameOption {
217
        DENY("DENY"),
236
        DENY("DENY"),
218
        SAME_ORIGIN("SAMEORIGIN"),
237
        SAME_ORIGIN("SAMEORIGIN"),
(-)webapps/docs/config/filter.xml (+8 lines)
Lines 926-931 Link Here
926
        default value of <code>true</code> will be used.</p>
926
        default value of <code>true</code> will be used.</p>
927
      </attribute>
927
      </attribute>
928
928
929
      <attribute name="xssProtectionEnabled" required="false">
930
        <p>Should the header that enables the browser's cross-site scripting
931
        filter protection (<code>X-XSS-Protection: 1; mode=block</code>)
932
        be set on every response. If already present, the header
933
        will be replaced. If not specified, the default value of
934
        <code>true</code> will be used.</p>
935
      </attribute>
936
929
    </attributes>
937
    </attributes>
930
938
931
  </subsection>
939
  </subsection>

Return to bug 58735