--- java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (revision 1721884)
+++ java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (working copy)
@@ -57,6 +57,11 @@
private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff";
private boolean blockContentTypeSniffingEnabled = true;
+ // Cross-site scripting filter protection
+ private static final String XSS_PROTECTION_HEADER_NAME = "X-XSS-Protection";
+ private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block";
+ private boolean xssProtectionEnabled = true;
+
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
@@ -103,6 +108,13 @@
((HttpServletResponse) response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME,
BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE);
}
+
+ // cross-site scripting filter protection
+ if (xssProtectionEnabled && response instanceof HttpServletResponse) {
+ ((HttpServletResponse) response).setHeader(XSS_PROTECTION_HEADER_NAME,
+ XSS_PROTECTION_HEADER_VALUE);
+ }
+
chain.doFilter(request, response);
}
@@ -212,7 +224,14 @@
this.antiClickJackingUri = uri;
}
+ public boolean isXssProtectionEnabled() {
+ return xssProtectionEnabled;
+ }
+ public void setXssProtectionEnabled(boolean xssProtectionEnabled) {
+ this.xssProtectionEnabled = xssProtectionEnabled;
+ }
+
private static enum XFrameOption {
DENY("DENY"),
SAME_ORIGIN("SAMEORIGIN"),
--- webapps/docs/config/filter.xml (revision 1721884)
+++ webapps/docs/config/filter.xml (working copy)
@@ -926,6 +926,14 @@
default value of true will be used.
+
+ Should the header that enables the browser's cross-site scripting
+ filter protection (X-XSS-Protection: 1; mode=block)
+ be set on every response. If already present, the header
+ will be replaced. If not specified, the default value of
+ true will be used.
+
+