Content Security Policy Filter (Java)

Adds the 'Content-Security-Policy' or 'Content-Security-Policy-Report-Only' Header to the response.

Also see:

• http://content-security-policy.com/
• http://www.w3.org/TR/CSP/#directives
• https://developer.chrome.com/extensions/contentSecurityPolicy
• https://developer.mozilla.org/en-US/docs/Web/Security/CSP

Normally you will only need a limited number or none of the init parameters. If no init parameter is defined the Header will look like this:

Content-Security-Policy = default-src 'none'

Here is an example full configuration of the ContentSecurityPolicyFilter.

    <filter>
       <filter-name>ContentSecurityPolicyFilter</filter-name>
       <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class>
       
       <init-param>
           <!-- If not specified the default is false -->
           <param-name>report-only</param-name>
           <param-value>false</param-value>
        </init-param>
        <!-- Optionally add a reporter-uri -->            
       <init-param>
           <param-name>report-uri</param-name>
           <param-value>/ContentSecurityPolicyReporter</param-value>
        </init-param>
       <init-param>
           <param-name>sandbox</param-name>
           <param-value>true</param-value>
           <!-- true enables the sandbox behaviour - the default is false - one can also specify exceptions, e.g.
           <param-value>allow-forms allow-same-origin</param-value>
           -->
        </init-param>
       <!-- Remember that special keywords have to be put in single quotes, e.g. 'none', 'self' -->
       <init-param>
           <!-- If not specified the default is 'none' -->
           <param-name>default-src</param-name>
           <param-value>'none'</param-value>
        </init-param>
       <init-param>
           <param-name>img-src</param-name>
            <param-value>http://*.example.com</param-value>
        </init-param>
       <init-param>
           <param-name>script-src</param-name>
           <param-value>'self' js.example.com</param-value>
        </init-param>
       <init-param>
           <param-name>style-src</param-name>
           <param-value>'self'</param-value>
        </init-param>  
       <init-param>
           <param-name>connect-src</param-name>
           <param-value>'self'</param-value>
        </init-param> 
       <init-param>
           <param-name>font-src</param-name>
           <param-value>'self'</param-value>
        </init-param>   
       <init-param>
           <param-name>object-src</param-name>
           <param-value>'self'</param-value>
        </init-param>  
       <init-param>
           <param-name>media-src</param-name>
           <param-value>'self'</param-value>
        </init-param> 
       <init-param>
           <param-name>frame-src</param-name>
           <param-value>'self'</param-value>
        </init-param> 
    </filter>
    
    <filter-mapping> 
       <filter-name>ContentSecurityPolicyFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Optionally configure a Servlet to log the CSP violations:

     <servlet>
         <servlet-name>ContentSecurityPolicyReporter</servlet-name>
         <servlet-class>de.saville.csp.ContentSecurityPolicyReporter</servlet-class>
     </servlet>

     <servlet-mapping>
         <servlet-name>ContentSecurityPolicyReporter</servlet-name>
         <url-pattern>/ContentSecurityPolicyReporter</url-pattern>
     </servlet-mapping>