ASF Bugzilla – Attachment 33379 Details for
Bug 58735
Add support for X-XSS-Protection header
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Updated patch with filter's documentation
58735.patch (text/plain), 2.50 KB, created by
Jacopo Cappellato
on 2015-12-28 08:59:01 UTC
(
hide
)
Description:
Updated patch with filter's documentation
Filename:
MIME Type:
Creator:
Jacopo Cappellato
Created:
2015-12-28 08:59:01 UTC
Size:
2.50 KB
patch
obsolete
>Index: java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java >=================================================================== >--- java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (revision 1721884) >+++ java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java (working copy) >@@ -57,6 +57,11 @@ > private static final String BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE = "nosniff"; > private boolean blockContentTypeSniffingEnabled = true; > >+ // Cross-site scripting filter protection >+ private static final String XSS_PROTECTION_HEADER_NAME = "X-XSS-Protection"; >+ private static final String XSS_PROTECTION_HEADER_VALUE = "1; mode=block"; >+ private boolean xssProtectionEnabled = true; >+ > @Override > public void init(FilterConfig filterConfig) throws ServletException { > super.init(filterConfig); >@@ -103,6 +108,13 @@ > ((HttpServletResponse) response).setHeader(BLOCK_CONTENT_TYPE_SNIFFING_HEADER_NAME, > BLOCK_CONTENT_TYPE_SNIFFING_HEADER_VALUE); > } >+ >+ // cross-site scripting filter protection >+ if (xssProtectionEnabled && response instanceof HttpServletResponse) { >+ ((HttpServletResponse) response).setHeader(XSS_PROTECTION_HEADER_NAME, >+ XSS_PROTECTION_HEADER_VALUE); >+ } >+ > chain.doFilter(request, response); > } > >@@ -212,7 +224,14 @@ > this.antiClickJackingUri = uri; > } > >+ public boolean isXssProtectionEnabled() { >+ return xssProtectionEnabled; >+ } > >+ public void setXssProtectionEnabled(boolean xssProtectionEnabled) { >+ this.xssProtectionEnabled = xssProtectionEnabled; >+ } >+ > private static enum XFrameOption { > DENY("DENY"), > SAME_ORIGIN("SAMEORIGIN"), >Index: webapps/docs/config/filter.xml >=================================================================== >--- webapps/docs/config/filter.xml (revision 1721884) >+++ webapps/docs/config/filter.xml (working copy) >@@ -926,6 +926,14 @@ > default value of <code>true</code> will be used.</p> > </attribute> > >+ <attribute name="xssProtectionEnabled" required="false"> >+ <p>Should the header that enables the browser's cross-site scripting >+ filter protection (<code>X-XSS-Protection: 1; mode=block</code>) >+ be set on every response. If already present, the header >+ will be replaced. If not specified, the default value of >+ <code>true</code> will be used.</p> >+ </attribute> >+ > </attributes> > > </subsection>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 58735
:
33349
| 33379