1
0
mirror of https://github.com/google/nomulus synced 2026-07-12 02:52:38 +00:00

Implement CSP for the registrar console (#3129)

Implement a hybrid Content Security Policy (CSP) for the Registrar Console
to protect against XSS

- The CspFilter injects the proper headers on the Java backend endpoints
- Uinsg Jetty's HeaderFilter to inject the header for statically-served
  frontend assets

We need to add the ee10-servlets.ini file for Jetty to have acess to the
HeaderFilter class
This commit is contained in:
gbrodman
2026-07-10 14:03:36 -04:00
committed by GitHub
parent 4df734da2a
commit 653da19e53
5 changed files with 118 additions and 0 deletions
@@ -0,0 +1,41 @@
// Copyright 2026 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.ui.server;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
/** Filter to inject security headers, including CSP, for defense-in-depth. */
public class CspFilter implements Filter {
private static final String CSP_POLICY =
"default-src 'self'; object-src 'none'; base-uri 'self';";
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (response instanceof HttpServletResponse httpResponse) {
httpResponse.setHeader("Content-Security-Policy", CSP_POLICY);
httpResponse.setHeader("X-Content-Type-Options", "nosniff");
httpResponse.setHeader("X-Frame-Options", "DENY");
}
chain.doFilter(request, response);
}
}
@@ -0,0 +1,44 @@
// Copyright 2026 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package google.registry.ui.server;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import jakarta.servlet.FilterChain;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.Test;
/** Unit tests for {@link CspFilter}. */
class CspFilterTest {
@Test
void testDoFilter_setsHeaders() throws Exception {
CspFilter filter = new CspFilter();
HttpServletRequest request = mock(HttpServletRequest.class);
HttpServletResponse response = mock(HttpServletResponse.class);
FilterChain chain = mock(FilterChain.class);
filter.doFilter(request, response, chain);
verify(response)
.setHeader(
"Content-Security-Policy", "default-src 'self'; object-src 'none'; base-uri 'self';");
verify(response).setHeader("X-Content-Type-Options", "nosniff");
verify(response).setHeader("X-Frame-Options", "DENY");
verify(chain).doFilter(request, response);
}
}
@@ -0,0 +1,4 @@
# ---------------------------------------
# Module: ee10-servlets
# ---------------------------------------
--module=ee10-servlets
@@ -3,6 +3,24 @@
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_5_0.xsd"
version="5.0">
<filter>
<filter-name>CspHeaderFilter</filter-name>
<filter-class>org.eclipse.jetty.ee10.servlets.HeaderFilter</filter-class>
<init-param>
<param-name>headerConfig</param-name>
<param-value>
set Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; object-src 'none'; base-uri 'self';
set X-Content-Type-Options: nosniff
set X-Frame-Options: DENY
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CspHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>default-no-cache</servlet-name>
<servlet-class>org.eclipse.jetty.ee10.servlet.DefaultServlet</servlet-class>
+11
View File
@@ -2,6 +2,17 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
version="6.0">
<!-- Filters -->
<filter>
<filter-name>CspFilter</filter-name>
<filter-class>google.registry.ui.server.CspFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CspFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Servlets -->
<!-- Servlet for injected frontend actions -->