NAC-335: admin console with strict csp changes fixed

nuxeo · Feb 11, 2025 · 9989f69 · 9989f69
1 parent 5cddcea
commit 9989f69
Showing 1 changed file with 37 additions and 13 deletions.
diff --git a/nuxeo-admin-console-web/angular-app/src/index.jsp b/nuxeo-admin-console-web/angular-app/src/index.jsp
@@ -22,20 +22,44 @@ limitations under the License.
   String context = request.getContextPath();
 %> 
 -->
+<%@ page import="javax.servlet.http.HttpServletResponse" %>
+  <%@ page import="java.util.UUID" %>
+    <% HttpServletResponse resp=(HttpServletResponse) pageContext.getResponse(); String
+      NX_NONCE_VALUE=UUID.randomUUID().toString(); String updatedScriptSrcStr="'self' 'nonce-" + NX_NONCE_VALUE + "'" ;
+      String cspHeader=resp.getHeader("Content-Security-Policy"); String newCspHeader="" ; boolean
+      isExistingCspHeaderEmpty=false; if(cspHeader==null || cspHeader.trim().isEmpty()) { isExistingCspHeaderEmpty=true;
+      cspHeader="" ; } String scriptSrc="" ; String directive=null; // Replace non-breaking spaces with regular spaces
+      cspHeader=cspHeader.replaceAll("\u00A0", " " ); // Normalizing non-breaking spaces String[]
+      directives=cspHeader.trim().replaceAll("\\s+", " " ).split(";"); boolean foundScriptSrcMatch=false; boolean
+      foundObjectSrcMatch=false; for (int i=0; i < directives.length; i++) { directive=directives[i].trim(); if
+      (directive.startsWith("script-src ")) {
+        foundScriptSrcMatch = true;
+        directive = directive.trim() + " " + updatedScriptSrcStr;
+        directives[i] = directive;
+    }
+    if (directive.startsWith(" object-src ")) {
+      foundObjectSrcMatch = true;
+    }
+  }
+  if(foundScriptSrcMatch) {
+    newCspHeader =  String.join(" ;", directives); } else { newCspHeader=cspHeader.trim() + (isExistingCspHeaderEmpty
+      ? " script-src " : "; script-src " ) + updatedScriptSrcStr; } if(!foundObjectSrcMatch){
+      newCspHeader=newCspHeader.trim() + "; object-src 'none'" ; } resp.setHeader("Content-Security-Policy",
+      newCspHeader); %>
 
-<!DOCTYPE html>
-<html lang="">
+      <!DOCTYPE html>
+      <html lang="">
 
-<head>
-  <meta charset="utf-8" />
-  <title>Admin Console</title>
-  <base href="/" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <link rel="icon" type="image/svg+xml" href="favicon.svg">
-</head>
+      <head>
+        <meta charset="utf-8" />
+        <title>Admin Console</title>
+        <base href="/" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <link rel="icon" type="image/svg+xml" href="favicon.svg">
+      </head>
 
-<body>
-  <app baseUrl="<%= context %>"></app>
-</body>
+      <body>
+        <app baseUrl="<%= context %>" ngCspNonce="<%= NX_NONCE_VALUE %>"></app>
+      </body>
 
-</html>
+      </html>