Package alpine.filters

Class ContentSecurityPolicyFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public final class ContentSecurityPolicyFilter
extends Object
implements javax.servlet.Filter

    Implements W3C Content Security Policy (Level 1 and 2).

    This filter is configured via the applications web.xml.

    An example implementation in web.xml: 
     <filter>
     <filter-name>CspFilter</filter-name>
     <filter-class>alpine.filters.ContentSecurityPolicyFilter</filter-class>
     <init-param>
         <param-name>default-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>script-src</param-name>
         <param-value>'self' 'unsafe-inline'</param-value>
     </init-param>
     <init-param>
         <param-name>style-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>img-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>connect-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>font-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>object-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>media-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>frame-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>sandbox</param-name>
         <param-value>allow-forms</param-value>
     </init-param>
     <init-param>
         <param-name>report-uri</param-name>
         <param-value>/some-report-uri</param-value>
     </init-param>
     <init-param>
         <param-name>child-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>form-action-src</param-name>
         <param-value>'self'</param-value>
     </init-param>
     <init-param>
         <param-name>frame-ancestors</param-name>
         <param-value>'none'</param-value>
     </init-param>
     <init-param>
         <param-name>plugin-types</param-name>
         <param-value>application/pdf</param-value>
     </init-param>
 </filter>
 <filter-mapping>
     <filter-name>CspFilter</filter-name>
     <url-pattern>/*</url-pattern>
 </filter-mapping>

    The following parameters default to 'self' if not defined: default-src, script-src, style-src, img-src, font-src, object-src, media-src, child-src and form-action.

    The sandbox param defaults to null indicating that the default sandbox will be applied. The report-uri and plugin-types also default to null. frame-ancestors defaults to 'none' if not specified.

    Since:
    1.0.0
    Author:
    Steve Springett

    • Constructor Detail

      • ContentSecurityPolicyFilter

        public ContentSecurityPolicyFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
        Specified by:
        init in interface javax.servlet.Filter

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest req,
                     javax.servlet.ServletResponse res,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter