| Summary: | support "X-Content-Security-Policy" a.k.a as "CSP" | ||
|---|---|---|---|
| Product: | Tomcat 8 | Reporter: | Ralf Hauser <hauser> |
| Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | enhancement | Keywords: | Beginner |
| Priority: | P2 | ||
| Version: | 8.0.x-trunk | ||
| Target Milestone: | ---- | ||
| Hardware: | PC | ||
| OS: | Windows NT | ||
|
Description
Ralf Hauser
2016-01-12 07:48:09 UTC
This looks sufficiently complex that a dedicated filter is required. What isn't clear at this point is if a useful generic filter can be written (in which case it could be added to Tomcat's standard set of filters) or if user really needs to write there own. Ralph, would you care to propose a patch? I don't think this is for "Connectors" [mod_jk]. Re-assigning component. Chris, I can submit a patch if given some guidelines about the Filter's configuration specs. Perhaps a very general-purpose Filter should be written -- one that takes header names and values and sends them if the mapping is matched. Then such a Filter can be extended to a more specific implementation for CSP or other applications. Igal I am often missing a generic filter where you just can provide a header name and value. If this is added then CSP is also supported. Any reason why such a filter does not exist yet? My own personal concern is that we don't want to end up re-implementing this: http://tuckey.org/urlrewrite/ or this: https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html It wouldn't be a bad thing to have something like this: https://httpd.apache.org/docs/current/mod/mod_headers.html Feel free to start small and only support unconditionally adding response headers. |