Allow empty CSP header in headers provider
Closes #29458 Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
parent
6cc8d653f3
commit
2cc051346d
2 changed files with 31 additions and 10 deletions
|
@ -106,17 +106,17 @@ public class DefaultSecurityHeadersProvider implements SecurityHeadersProvider {
|
|||
|
||||
// TODO This will be refactored as part of introducing a more strict CSP header
|
||||
if (options != null) {
|
||||
ContentSecurityPolicyBuilder csp = ContentSecurityPolicyBuilder.create(
|
||||
headers.getFirst(CONTENT_SECURITY_POLICY.getHeaderName()).toString());
|
||||
|
||||
if (options.isAllowAnyFrameAncestor()) {
|
||||
headers.remove(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName());
|
||||
}
|
||||
|
||||
if (csp.isDefaultFrameAncestors()) {
|
||||
Object cspVal = headers.getFirst(CONTENT_SECURITY_POLICY.getHeaderName());
|
||||
if (cspVal != null) {
|
||||
ContentSecurityPolicyBuilder csp = ContentSecurityPolicyBuilder.create(cspVal.toString());
|
||||
if (options.isAllowAnyFrameAncestor() && csp.isDefaultFrameAncestors()) {
|
||||
// only remove frame ancestors if defined to default 'self'
|
||||
csp.frameAncestors(null);
|
||||
}
|
||||
}
|
||||
|
||||
String allowedFrameSrc = options.getAllowedFrameSrc();
|
||||
if (allowedFrameSrc != null) {
|
||||
|
@ -126,6 +126,7 @@ public class DefaultSecurityHeadersProvider implements SecurityHeadersProvider {
|
|||
headers.putSingle(CONTENT_SECURITY_POLICY.getHeaderName(), csp.build());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void addHeader(BrowserSecurityHeaders header, MultivaluedMap<String, Object> headers) {
|
||||
String value = headerValues.getOrDefault(header.getKey(), header.getDefaultValue());
|
||||
|
|
|
@ -40,7 +40,12 @@ import org.keycloak.testsuite.AbstractKeycloakTest;
|
|||
import org.keycloak.testsuite.ActionURIUtils;
|
||||
import org.keycloak.testsuite.oidc.PkceGenerator;
|
||||
import org.keycloak.testsuite.runonserver.ServerVersion;
|
||||
import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
|
||||
import org.keycloak.testsuite.util.AdminClientUtil;
|
||||
import org.keycloak.testsuite.util.RealmBuilder;
|
||||
|
||||
import jakarta.ws.rs.client.Client;
|
||||
import jakarta.ws.rs.core.Response;
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
import java.util.Collections;
|
||||
|
@ -200,8 +205,23 @@ public class LoginStatusIframeEndpointTest extends AbstractKeycloakTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void checkEmptyCsp() throws Exception {
|
||||
try (RealmAttributeUpdater realmUpdater = new RealmAttributeUpdater(adminClient.realm("test"))
|
||||
.setBrowserSecurityHeader(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getKey(), "")
|
||||
.update();
|
||||
Client client = AdminClientUtil.createResteasyClient();
|
||||
Response response = client.target(suiteContext.getAuthServerInfo().getContextRoot()
|
||||
+ "/auth/realms/test/protocol/openid-connect/login-status-iframe.html").request().get()) {
|
||||
assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
|
||||
assertNull(response.getHeaderString(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getKey()));
|
||||
assertNull(response.getHeaderString(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName()));
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void addTestRealms(List<RealmRepresentation> testRealms) {
|
||||
testRealms.add(RealmBuilder.create().name("test").build());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue