Allow configuring the referrer policy (#19917)

* Allow configuring the referrer policy

Closes #17288

* fixed indentation

---------

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
This commit is contained in:
Pedro Igor 2023-05-30 13:27:12 -03:00 committed by GitHub
parent 6b42c2b4d0
commit 8aeee928e8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 2 deletions

View file

@ -861,6 +861,7 @@
"xRobotsTag": "X-Robots-Tag",
"xXSSProtection": "X-XSS-Protection",
"strictTransportSecurity": "HTTP Strict Transport Security (HSTS)",
"referrerPolicy": "Referrer Policy",
"failureFactor": "Max login failures",
"permanentLockout": "Permanent lockout",
"waitIncrementSeconds": "Wait increment",

View file

@ -63,6 +63,10 @@ export const HeadersForm = ({ realm, save }: HeadersFormProps) => {
fieldName="browserSecurityHeaders.strictTransportSecurity"
url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"
/>
<HelpLinkTextInput
fieldName="browserSecurityHeaders.referrerPolicy"
url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy"
/>
<ActionGroup>
<Button

View file

@ -30,8 +30,7 @@ public enum BrowserSecurityHeaders {
X_ROBOTS_TAG("xRobotsTag", "X-Robots-Tag", "none"),
X_XSS_PROTECTION("xXSSProtection", "X-XSS-Protection", "1; mode=block"),
STRICT_TRANSPORT_SECURITY("strictTransportSecurity", "Strict-Transport-Security", "max-age=31536000; includeSubDomains"),
REFERRER_POLICY("referrerPolicy", "Referrer-Policy", "no-referrer"),
;
REFERRER_POLICY("referrerPolicy", "Referrer-Policy", "no-referrer");
private final String key;
private final String headerName;
@ -68,6 +67,7 @@ public enum BrowserSecurityHeaders {
dh.put(X_ROBOTS_TAG.getKey(), X_ROBOTS_TAG.getDefaultValue());
dh.put(X_XSS_PROTECTION.getKey(), X_XSS_PROTECTION.getDefaultValue());
dh.put(STRICT_TRANSPORT_SECURITY.getKey(), STRICT_TRANSPORT_SECURITY.getDefaultValue());
dh.put(REFERRER_POLICY.getKey(), REFERRER_POLICY.getDefaultValue());
realmDefaultHeaders = Collections.unmodifiableMap(dh);
}

View file

@ -3,6 +3,18 @@ package org.keycloak.models;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.keycloak.models.BrowserSecurityHeaders.CONTENT_SECURITY_POLICY;
import static org.keycloak.models.BrowserSecurityHeaders.CONTENT_SECURITY_POLICY_REPORT_ONLY;
import static org.keycloak.models.BrowserSecurityHeaders.REFERRER_POLICY;
import static org.keycloak.models.BrowserSecurityHeaders.STRICT_TRANSPORT_SECURITY;
import static org.keycloak.models.BrowserSecurityHeaders.X_CONTENT_TYPE_OPTIONS;
import static org.keycloak.models.BrowserSecurityHeaders.X_FRAME_OPTIONS;
import static org.keycloak.models.BrowserSecurityHeaders.X_ROBOTS_TAG;
import static org.keycloak.models.BrowserSecurityHeaders.X_XSS_PROTECTION;
import static org.keycloak.models.BrowserSecurityHeaders.realmDefaultHeaders;
import java.util.Arrays;
import java.util.List;
public class BrowserSecurityHeadersTest {
@ -14,4 +26,23 @@ public class BrowserSecurityHeadersTest {
assertEquals("frame-src 'custom-frame-src'; frame-ancestors 'custom-frame-ancestors'; object-src 'none';", ContentSecurityPolicyBuilder.create().frameSrc("'custom-frame-src'").frameAncestors("'custom-frame-ancestors'").build());
}
@Test
public void testDefaultHeaders() {
List<BrowserSecurityHeaders> expectedHeaders = Arrays.asList(
X_FRAME_OPTIONS,
CONTENT_SECURITY_POLICY,
CONTENT_SECURITY_POLICY_REPORT_ONLY,
X_CONTENT_TYPE_OPTIONS,
X_ROBOTS_TAG,
X_XSS_PROTECTION,
STRICT_TRANSPORT_SECURITY,
REFERRER_POLICY
);
assertEquals(expectedHeaders.size(), realmDefaultHeaders.size());
for (BrowserSecurityHeaders header : expectedHeaders) {
assertEquals(header.getDefaultValue(), realmDefaultHeaders.get(header.getKey()));
}
}
}