Bug 58837 - support "X-Content-Security-Policy" a.k.a as "CSP"
Summary: support "X-Content-Security-Policy" a.k.a as "CSP"
Status: RESOLVED DUPLICATE of bug 65267
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.x-trunk
Hardware: PC Windows NT
: P2 enhancement (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Keywords: Beginner
Depends on:
Reported: 2016-01-12 07:48 UTC by Ralf Hauser
Modified: 2021-05-11 16:01 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Mark Thomas 2016-01-12 08:16:15 UTC
This looks sufficiently complex that a dedicated filter is required.

What isn't clear at this point is if a useful generic filter can be written (in which case it could be added to Tomcat's standard set of filters) or if user really needs to write there own.
Comment 2 Ralf Hauser 2016-06-25 10:18:35 UTC
maybe the HttpHeaderSecurityFilter.java of bug 58735 can be used for this

see also bug 58548
Comment 4 Christopher Schultz 2017-06-28 13:30:58 UTC
Ralph, would you care to propose a patch?
Comment 5 Christopher Schultz 2017-09-01 14:29:24 UTC
I don't think this is for "Connectors" [mod_jk]. Re-assigning component.
Comment 6 Igal Sapir 2017-10-02 16:35:55 UTC

I can submit a patch if given some guidelines about the Filter's configuration specs.

Perhaps a very general-purpose Filter should be written -- one that takes header names and values and sends them if the mapping is matched.

Then such a Filter can be extended to a more specific implementation for CSP or other applications.

Comment 7 Donald 2018-10-30 10:36:29 UTC
I am often missing a generic filter where you just can provide a header name and value. If this is added then CSP is also supported. Any reason why such a filter does not exist yet?
Comment 8 Christopher Schultz 2018-10-30 17:42:54 UTC
My own personal concern is that we don't want to end up re-implementing this: http://tuckey.org/urlrewrite/ or this: https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html

It wouldn't be a bad thing to have something like this: https://httpd.apache.org/docs/current/mod/mod_headers.html

Feel free to start small and only support unconditionally adding response headers.
Comment 9 Mark Thomas 2021-05-11 16:01:23 UTC
The mod_headers like component has had some interest lately. The new issue has more up to date info.

*** This bug has been marked as a duplicate of bug 65267 ***