myfaces-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lof...@apache.org
Subject svn commit: r1521478 - in /myfaces/tobago/trunk: src/site/apt/ tobago-core/ tobago-core/src/main/java/org/apache/myfaces/tobago/config/ tobago-core/src/main/java/org/apache/myfaces/tobago/context/ tobago-core/src/main/java/org/apache/myfaces/tobago/int...
Date Tue, 10 Sep 2013 13:36:07 GMT
Author: lofwyr
Date: Tue Sep 10 13:36:06 2013
New Revision: 1521478

URL: http://svn.apache.org/r1521478
Log:
TOBAGO-1310: Support for the CSP header field: Content-Security-Policy-Report-Only 
- add support for "report-only"
TOBAGO-1171: Support for the Content Security Policy (CSP) 
- change syntax for activating/deactivating
- adapt browser support
- same HTML rendering output (without attention to CSP state)

Added:
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java
    myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/
    myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml
Modified:
    myfaces/tobago/trunk/src/site/apt/migration-2.0.apt
    myfaces/tobago/trunk/tobago-core/pom.xml
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java
    myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd
    myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java
    myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java
    myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java
    myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml
    myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml
    myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml
    myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml
    myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml
    myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
    myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
    myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java
    myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
    myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml

Modified: myfaces/tobago/trunk/src/site/apt/migration-2.0.apt
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/src/site/apt/migration-2.0.apt?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/src/site/apt/migration-2.0.apt (original)
+++ myfaces/tobago/trunk/src/site/apt/migration-2.0.apt Tue Sep 10 13:36:06 2013
@@ -34,12 +34,12 @@ Artifacts (JAR-Files)
 
 CSP
 
-  Tobago supports Content Security Policy (SCP) to prevent cross-site
+  Tobago supports Content Security Policy (CSP) to prevent cross-site
   scripting (XSS) and related attacks.
   Specification link http://www.w3.org/TR/CSP/
   In short: The HTML page doesn't contain any JavaScript or CSS information.
   All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
-  If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
+  If you have own renderers or own JavaScript in your application, this code also needs to support CSP, to use this feature.
 
 * Warning:
 
@@ -52,9 +52,8 @@ CSP
   To add sites to the CSP headers, add <<<\<directive\>>>> tags to <<<\<content-security-policy\>>>> in
   the <<<tobago-config.xml>>>.
 
-  To turn off CSP, add an empty <<<\<content-security-policy extension-mode="replace"\>>>> tag in the configuration.
-  This will reset the list of directive entries.
-  If there is no entry, the feature is disabled.
+  To turn off CSP, add an empty <<<\<content-security-policy mode="off"\>>>> tag in the configuration.
+  For development, you may also use mode="report-only", which sets the appropriate header.
 
 Java-API
 

Modified: myfaces/tobago/trunk/tobago-core/pom.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/pom.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/pom.xml (original)
+++ myfaces/tobago/trunk/tobago-core/pom.xml Tue Sep 10 13:36:06 2013
@@ -258,12 +258,14 @@
       <groupId>com.google.caliper</groupId>
       <artifactId>caliper</artifactId>
     </dependency-->
+<!--
     <dependency>
       <groupId>com.google.code.gson</groupId>
       <artifactId>gson</artifactId>
       <version>2.2.2</version>
       <scope>compile</scope>
     </dependency>
+-->
   </dependencies>
 
   <profiles>

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java Tue Sep 10 13:36:06 2013
@@ -21,6 +21,7 @@ package org.apache.myfaces.tobago.config
 
 import org.apache.myfaces.tobago.application.ProjectStage;
 import org.apache.myfaces.tobago.context.Theme;
+import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
 
 import javax.faces.context.FacesContext;
 import javax.servlet.ServletContext;
@@ -72,8 +73,6 @@ public abstract class TobagoConfig {
 
   public abstract boolean isPreventFrameAttacks();
 
-  public abstract List<String> getContentSecurityPolicy();
-
-  public abstract boolean isContentSecurityPolicyActive();
+  public abstract ContentSecurityPolicy getContentSecurityPolicy();
 
 }

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/ClientProperties.java Tue Sep 10 13:36:06 2013
@@ -124,23 +124,16 @@ public class ClientProperties implements
   }
 
   /**
-   * @deprecated since 1.5. Please use 
-   * {@link 
-   * org.apache.myfaces.tobago.util.VariableResolverUtils#resolveClientProperties(javax.faces.context.FacesContext)} 
+   * @deprecated since 1.5. Please use
+   * {@link #getInstance(javax.faces.context.FacesContext)}
    */
   @Deprecated
   public static ClientProperties getInstance(UIViewRoot viewRoot) {
     return getInstance(FacesContext.getCurrentInstance());
   }
 
-  /**
-   * @deprecated since 1.5. Please use 
-   * {@link 
-   * org.apache.myfaces.tobago.util.VariableResolverUtils#resolveClientProperties(javax.faces.context.FacesContext)} 
-   */
-  @Deprecated
   public static ClientProperties getInstance(FacesContext facesContext) {
-    return (ClientProperties) VariableResolverUtils.resolveClientProperties(facesContext);
+    return (ClientProperties) VariableResolverUtils.resolveVariable(facesContext, MANAGED_BEAN_NAME);
   }
 
   /**

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/context/UserAgent.java Tue Sep 10 13:36:06 2013
@@ -20,17 +20,22 @@
 package org.apache.myfaces.tobago.context;
 
 import org.apache.myfaces.tobago.internal.util.Deprecation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
+import java.util.StringTokenizer;
 
 public class UserAgent implements Serializable {
 
   private static final long serialVersionUID = 2L;
 
+  private static final Logger LOG = LoggerFactory.getLogger(UserAgent.class);
+
   public static final String DEFAULT_NAME = "standard";
 
   public static final UserAgent DEFAULT = new UserAgent(null, null);
@@ -49,12 +54,14 @@ public class UserAgent implements Serial
   @Deprecated
   public static final UserAgent MSIE_5_5 = new UserAgent("msie", "5_5");
 
-  public static final UserAgent MSIE_6_0 = new UserAgent("msie", "6_0");
+  public static final UserAgent MSIE_6_0
+      = new UserAgent("msie", "6_0", null, CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
 
-  public static final UserAgent MSIE_7_0 = new UserAgent("msie", "7_0");
+  public static final UserAgent MSIE_7_0
+      = new UserAgent("msie", "7_0", null, CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
 
-  public static final UserAgent MSIE_7_0_COMPAT
-      = new UserAgent("msie", "7_0", EnumSet.of(Capability.IE_COMPATIBILITY_MODE));
+  public static final UserAgent MSIE_7_0_COMPAT = new UserAgent(
+      "msie", "7_0", EnumSet.of(Capability.IE_COMPATIBILITY_MODE), CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
 
   /**
    * @deprecated no longer supported, since Tobago 1.5. Misspelled. Use {@link #MSIE_7_0}
@@ -62,12 +69,15 @@ public class UserAgent implements Serial
   @Deprecated
   public static final UserAgent MSIE_7_O = MSIE_7_0;
 
-  public static final UserAgent MSIE_8_0 = new UserAgent("msie", "8_0");
+  public static final UserAgent MSIE_8_0 = new UserAgent(
+      "msie", "8_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
 
-  public static final UserAgent MSIE_9_0 = new UserAgent("msie", "9_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML));
+  public static final UserAgent MSIE_9_0 = new UserAgent(
+      "msie", "9_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
 
-  public static final UserAgent MSIE_10_0
-      = new UserAgent("msie", "10_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+  // CSP is not fully supported, only sandboxing
+  public static final UserAgent MSIE_10_0 = new UserAgent(
+      "msie", "10_0", EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.X, CsproHeader.X);
 
   /**
    * @deprecated no longer supported, since Tobago 1.5
@@ -137,61 +147,71 @@ public class UserAgent implements Serial
   /**
    * e. g. Firefox
    */
-  public static final UserAgent GECKO
-      = new UserAgent("gecko", null, EnumSet.of(Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+  public static final UserAgent GECKO = new UserAgent("gecko", null, EnumSet.of(Capability.CONTENT_TYPE_XHTML));
 
   /**
    * e. g. Firefox 2.0
    */
-  public static final UserAgent GECKO_1_8 = new UserAgent("gecko", "1_8", EnumSet.of(Capability.CONTENT_TYPE_XHTML));
+  public static final UserAgent GECKO_1_8 = new UserAgent("gecko", "1_8", EnumSet.of(Capability.CONTENT_TYPE_XHTML),
+      CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
 
   /**
    * e. g. Firefox 3.0, 3.5, 3.6
    */
-  public static final UserAgent GECKO_1_9 = new UserAgent("gecko", "1_9", EnumSet.of(Capability.CONTENT_TYPE_XHTML));
+  public static final UserAgent GECKO_1_9 = new UserAgent("gecko", "1_9", EnumSet.of(Capability.CONTENT_TYPE_XHTML),
+      CspHeader.NOT_SUPPORTED, CsproHeader.NOT_SUPPORTED);
 
   /**
-   * e. g. Firefox 4.0
+   * e. g. Firefox 4 to 22
    */
   public static final UserAgent GECKO_2_0
-      = new UserAgent("gecko", "2_0",
-      EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+      = new UserAgent("gecko", null,
+      EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.X, CsproHeader.X);
 
   /**
-   * e. g. Firefox 5.0
+   * e. g. Firefox 23 or higher
    */
-  public static final UserAgent GECKO_5_0
-      = new UserAgent("gecko", "5_0",
-      EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_GECKO);
+  public static final UserAgent GECKO_23_0
+      = new UserAgent("gecko", null,
+      EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.STANDARD, CsproHeader.STANDARD);
 
   /**
    * e. g. Safari 4, Safari 5, Chrome
    */
   public static final UserAgent WEBKIT
       = new UserAgent("webkit", null,
-      EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.CSP_WEBKIT);
+      EnumSet.of(Capability.PLACEHOLDER, Capability.CONTENT_TYPE_XHTML), CspHeader.WEBKIT, CsproHeader.WEBKIT);
 
   private final String name;
 
+  /**
+   * @deprecated Version shouldn't be used in the future. Use capability instead, even better
+   * use same code on the server when possible and use capability via JavaScript.
+   */
+  @Deprecated
   private final String version;
 
   private final EnumSet<Capability> capabilities;
 
   private final CspHeader cspHeader;
 
+  private final CsproHeader csproHeader;
+
   private UserAgent(String name, String version) {
     this(name, version, EnumSet.of(Capability.CONTENT_TYPE_XHTML));
   }
 
   private UserAgent(String name, String version, EnumSet<Capability> capabilities) {
-    this(name, version, capabilities, CspHeader.CSP_NOT_SUPPORTED);
+    this(name, version, capabilities, CspHeader.STANDARD, CsproHeader.STANDARD);
   }
 
-  private UserAgent(String name, String version, EnumSet<Capability> capabilities, CspHeader cspHeader) {
+  private UserAgent(
+      String name, String version, EnumSet<Capability> capabilities, CspHeader cspHeader, CsproHeader csproHeader) {
     this.name = name;
     this.version = version;
     this.capabilities = capabilities;
     this.cspHeader = cspHeader;
+    this.csproHeader = csproHeader;
   }
 
   public boolean hasCapability(Capability capability) {
@@ -234,10 +254,17 @@ public class UserAgent implements Serial
   }
 
   /**
-   * @return The HTTP header name for Content-Security-Policy.
+   * @return The HTTP header names for Content-Security-Policy.
+   */
+  public String[] getCspHeaders() {
+    return cspHeader.getNames();
+  }
+
+  /**
+   * @return The HTTP header name for Content-Security-Policy-Report-Only.
    */
-  public String getCspHeader() {
-    return cspHeader.getName();
+  public String[] getCspReportOnlyHeaders() {
+    return csproHeader.getNames();
   }
 
   public static UserAgent getInstance(String header) {
@@ -270,11 +297,22 @@ public class UserAgent implements Serial
         return GECKO_1_8;
       } else if (header.contains("rv:1.9")) {
         return GECKO_1_9;
-      } else if (header.contains("rv:2.0")) {
-        return GECKO_2_0;
-      } else if (header.contains("rv:5.0")) {
-        return GECKO_5_0;
       } else {
+        final int index = header.indexOf("rv:");
+        final StringTokenizer tokenizer = new StringTokenizer(header.substring(index + 3), " .");
+        final String versionString = tokenizer.nextToken();
+        try {
+          int version = Integer.parseInt(versionString);
+          if (version >= 23) {
+            return GECKO_23_0;
+          } else if (version >= 2) {
+            return GECKO_2_0;
+          }
+        } catch (NumberFormatException e) {
+          if (LOG.isDebugEnabled()) {
+            LOG.debug(header, e);
+          }
+        }
         return GECKO;
       }
     } else if (header.contains("Presto")) {
@@ -305,19 +343,37 @@ public class UserAgent implements Serial
 
   private static enum CspHeader {
 
-    CSP_NOT_SUPPORTED(null),
-    CSP_GECKO("X-Content-Security-Policy"),
-    CSP_WEBKIT("X-WebKit-CSP"),
-    CSP_STANDARD("Content-Security-Policy");
+    NOT_SUPPORTED(new String[] {}),
+    X(new String[] {"Content-Security-Policy", "X-Content-Security-Policy"}),
+    WEBKIT(new String[] {"Content-Security-Policy", "X-WebKit-CSP"}),
+    STANDARD(new String[] {"Content-Security-Policy"});
+
+    private String[] names;
+
+    private CspHeader(String[] names) {
+      this.names = names;
+    }
+
+    public String[] getNames() {
+      return names;
+    }
+  }
+
+  private static enum CsproHeader {
+
+    NOT_SUPPORTED(new String[] {}),
+    X(new String[] {"Content-Security-Policy-Report-Only", "X-Content-Security-Policy-Report-Only"}),
+    WEBKIT(new String[] {"Content-Security-Policy-Report-Only", "X-WebKit-CSP-Report-Only"}),
+    STANDARD(new String[] {"Content-Security-Policy-Report-Only"});
 
-    private String name;
+    private String[] names;
 
-    private CspHeader(String name) {
-      this.name = name;
+    private CsproHeader(String[] names) {
+      this.names = names;
     }
 
-    public String getName() {
-      return name;
+    public String[] getNames() {
+      return names;
     }
   }
 }

Added: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java?rev=1521478&view=auto
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java (added)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ContentSecurityPolicy.java Tue Sep 10 13:36:06 2013
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.myfaces.tobago.internal.config;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class ContentSecurityPolicy {
+
+  private Mode mode;
+  private List<String> directiveList;
+
+  public ContentSecurityPolicy(String mode) {
+    this.mode = Mode.parse(mode);
+    this.directiveList = new ArrayList<String>();
+  }
+
+  public void merge(ContentSecurityPolicy other) {
+    directiveList.addAll(other.directiveList);
+    mode = other.mode;
+  }
+
+  public List<String> getDirectiveList() {
+    return directiveList;
+  }
+
+  public Mode getMode() {
+    return mode;
+  }
+
+  public static enum Mode {
+    ON("on"),
+    OFF("off"),
+    REPORT_ONLY("report-only");
+
+    private final String value;
+
+    private Mode(String value) {
+      this.value = value;
+    }
+
+    public String getValue() {
+      return value;
+    }
+
+    public static Mode parse(String string) {
+      if (ON.value.equals(string)) {
+        return ON;
+      } else if (OFF.value.equals(string)) {
+        return OFF;
+      } else if (REPORT_ONLY.value.equals(string)) {
+        return REPORT_ONLY;
+      } else {
+        throw new IllegalArgumentException("Found: " + string);
+      }
+    }
+  }
+
+}

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java Tue Sep 10 13:36:06 2013
@@ -43,8 +43,7 @@ public class TobagoConfigFragment {
   private Boolean createSessionSecret;
   private Boolean checkSessionSecret;
   private Boolean preventFrameAttacks;
-  private List<String> contentSecurityPolicy;
-  private boolean contentSecurityPolicyExtensionModeReplace;
+  private ContentSecurityPolicy contentSecurityPolicy;
   private List<ThemeImpl> themeDefinitions;
   private URL url;
 
@@ -54,7 +53,6 @@ public class TobagoConfigFragment {
     supportedThemeNames = new ArrayList<String>();
     resourceDirs = new ArrayList<String>();
     themeDefinitions = new ArrayList<ThemeImpl>();
-    contentSecurityPolicy = new ArrayList<String>();
   }
 
   public void addSupportedThemeName(String name) {
@@ -156,20 +154,12 @@ public class TobagoConfigFragment {
     this.preventFrameAttacks = preventFrameAttacks;
   }
 
-  public List<String> getContentSecurityPolicy() {
+  public ContentSecurityPolicy getContentSecurityPolicy() {
     return contentSecurityPolicy;
   }
 
-  public void addContentSecurityPolicy(String directive) {
-    contentSecurityPolicy.add(directive);
-  }
-
-  public boolean isContentSecurityPolicyExtensionModeReplace() {
-    return contentSecurityPolicyExtensionModeReplace;
-  }
-
-  public void setContentSecurityPolicyExtensionModeReplace(boolean contentSecurityPolicyExtensionModeReplace) {
-    this.contentSecurityPolicyExtensionModeReplace = contentSecurityPolicyExtensionModeReplace;
+  public void setContentSecurityPolicy(ContentSecurityPolicy contentSecurityPolicy) {
+    this.contentSecurityPolicy = contentSecurityPolicy;
   }
 
   /** @deprecated since 1.5.0 */

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java Tue Sep 10 13:36:06 2013
@@ -59,7 +59,7 @@ public class TobagoConfigImpl extends To
   private boolean createSessionSecret;
   private boolean checkSessionSecret;
   private boolean preventFrameAttacks;
-  private List<String> contentSecurityPolicy;
+  private ContentSecurityPolicy contentSecurityPolicy;
   private URL url;
   private Map<String, String> defaultValidatorInfo;
 
@@ -70,7 +70,7 @@ public class TobagoConfigImpl extends To
     createSessionSecret = true;
     checkSessionSecret = true;
     preventFrameAttacks = true;
-    contentSecurityPolicy = new ArrayList<String>();
+    contentSecurityPolicy = new ContentSecurityPolicy(ContentSecurityPolicy.Mode.OFF.getValue());
   }
 
   public void addSupportedThemeName(String name) {
@@ -282,18 +282,10 @@ public class TobagoConfigImpl extends To
     this.preventFrameAttacks = preventFrameAttacks;
   }
 
-  public List<String> getContentSecurityPolicy() {
+  public ContentSecurityPolicy getContentSecurityPolicy() {
     return contentSecurityPolicy;
   }
 
-  public void addContentSecurityPolicy(String directive) {
-    contentSecurityPolicy.add(directive);
-  }
-
-  public boolean isContentSecurityPolicyActive() {
-    return contentSecurityPolicy.size() > 0;
-  }
-
   public Map<String, String> getDefaultValidatorInfo() {
 
     // TODO: if the startup hasn't found a FacesContext and Application, this may depend on the order of the listeners.

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java Tue Sep 10 13:36:06 2013
@@ -152,8 +152,8 @@ public class TobagoConfigParser extends 
         break;
 
       case CONTENT_SECURITY_POLICY:
-        final String extensionMode = attributes.getValue("extension-mode");
-        tobagoConfig.setContentSecurityPolicyExtensionModeReplace("replace".equals(extensionMode));
+        final String mode = attributes.getValue("mode");
+        tobagoConfig.setContentSecurityPolicy(new ContentSecurityPolicy(mode));
         break;
 
       case RENDERERS:
@@ -296,7 +296,7 @@ public class TobagoConfigParser extends 
         break;
 
       case DIRECTIVE:
-        tobagoConfig.addContentSecurityPolicy(text);
+        tobagoConfig.getContentSecurityPolicy().getDirectiveList().add(text);
         break;
 
       case MARKUP:

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java Tue Sep 10 13:36:06 2013
@@ -103,12 +103,8 @@ public class TobagoConfigSorter implemen
         result.setPreventFrameAttacks(fragment.getPreventFrameAttacks());
       }
 
-      if (fragment.isContentSecurityPolicyExtensionModeReplace()) {
-        result.getContentSecurityPolicy().clear();
-      } else {
-        for (String directive : fragment.getContentSecurityPolicy()) {
-          result.addContentSecurityPolicy(directive);
-        }
+      if (fragment.getContentSecurityPolicy() != null) {
+        result.getContentSecurityPolicy().merge(fragment.getContentSecurityPolicy());
       }
 
       // theme definition

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/ResponseUtils.java Tue Sep 10 13:36:06 2013
@@ -21,13 +21,13 @@ package org.apache.myfaces.tobago.intern
 
 import org.apache.myfaces.tobago.context.ClientProperties;
 import org.apache.myfaces.tobago.context.UserAgent;
+import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.faces.context.ExternalContext;
 import javax.faces.context.FacesContext;
 import javax.servlet.http.HttpServletResponse;
-import java.util.List;
 
 public class ResponseUtils {
 
@@ -76,19 +76,34 @@ public class ResponseUtils {
     }
   }
 
-  public static void ensureContentSecurityPolicyHeader(FacesContext facesContext, List<String> contentSecurityPolicy) {
+  public static void ensureContentSecurityPolicyHeader(
+      FacesContext facesContext, ContentSecurityPolicy contentSecurityPolicy) {
     // TODO PortletRequest
     if (facesContext.getExternalContext().getResponse() instanceof HttpServletResponse) {
       final UserAgent userAgent = ClientProperties.getInstance(facesContext).getUserAgent();
-      final String cspHeader = userAgent.getCspHeader();
-      if (cspHeader != null) {
-        final StringBuilder value = new StringBuilder();
-        for (String directive : contentSecurityPolicy) {
-          value.append(directive);
-          value.append(";");
-        }
+      final String[] cspHeaders;
+      switch (contentSecurityPolicy.getMode()) {
+        case OFF:
+          cspHeaders = new String[0];
+          break;
+        case ON:
+          cspHeaders = userAgent.getCspHeaders();
+          break;
+        case REPORT_ONLY:
+          cspHeaders = userAgent.getCspReportOnlyHeaders();
+          break;
+        default:
+          throw new IllegalArgumentException("Undefined mode: " + contentSecurityPolicy.getMode());
+      }
+      final StringBuilder builder = new StringBuilder();
+      for (String directive : contentSecurityPolicy.getDirectiveList()) {
+        builder.append(directive);
+        builder.append(";");
+      }
+      String value = builder.toString();
+      for (String cspHeader : cspHeaders) {
         final HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();
-        response.setHeader(cspHeader, value.toString());
+        response.setHeader(cspHeader, value);
       }
     }
   }

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoResponseWriter.java Tue Sep 10 13:36:06 2013
@@ -19,7 +19,6 @@
 
 package org.apache.myfaces.tobago.webapp;
 
-import org.apache.myfaces.tobago.config.TobagoConfig;
 import org.apache.myfaces.tobago.renderkit.css.Classes;
 import org.apache.myfaces.tobago.renderkit.css.Style;
 import org.apache.myfaces.tobago.renderkit.html.DataAttributes;
@@ -27,7 +26,6 @@ import org.apache.myfaces.tobago.renderk
 import org.apache.myfaces.tobago.renderkit.html.HtmlElements;
 
 import javax.faces.component.UIComponent;
-import javax.faces.context.FacesContext;
 import javax.faces.context.ResponseWriter;
 import java.io.IOException;
 import java.io.Writer;
@@ -150,54 +148,15 @@ public abstract class TobagoResponseWrit
   @Deprecated
   public abstract void writeClassAttribute() throws IOException;
 
-/*
-  private long self = 0;
-  private long gson = 0;
-
-  private synchronized void time(long s, long g) {
-    self += s;
-    gson += g;
-  }
-
-  private static final Logger LOG = LoggerFactory.getLogger(TobagoResponseWriter.class);
-
-  public static final Gson GSON = new Gson();
-
-*/
   /**
    * Write the style attribute. The value will not escaped.
    */
   public void writeStyleAttribute(Style style) throws IOException {
     if (style != null) {
-      if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isContentSecurityPolicyActive()) {
-
-//        final long a = System.nanoTime();
-
-        final String json = style.encodeJson();
-
-/*
-        final long b = System.nanoTime();
-
-        final String json2 = GSON.toJson(style);
-
-        final long c = System.nanoTime();
-
-        time(b-a, c-b);
-
-        LOG.error("self: " + json);
-        LOG.error("gson: " + json2);
-        LOG.error("self: " + self + " gson: " + gson);
-
-*/
-        if (json.length() > 2) { // empty "{}" needs not to be written
-          writeAttribute(DataAttributes.STYLE, json, true);
-        }
-      } else {
-
-        final String value = style.encode();
-        if (value.length() > 0) {
-          writeAttribute(HtmlAttributes.STYLE, value, style.needsToBeEscaped());
-        }
+      final String json = style.encodeJson();
+      if (json.length() > 2) { // empty "{}" needs not to be written
+        writeAttribute(DataAttributes.STYLE, json, true);
+        // todo: check not escaping, when it's not needed, use: style.needsToBeEscaped()
       }
     }
   }

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/TobagoServletContextListener.java Tue Sep 10 13:36:06 2013
@@ -20,6 +20,7 @@
 package org.apache.myfaces.tobago.webapp;
 
 import org.apache.myfaces.tobago.config.TobagoConfig;
+import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
 import org.apache.myfaces.tobago.internal.config.TobagoConfigBuilder;
 import org.apache.myfaces.tobago.internal.context.ResourceManagerFactory;
 import org.slf4j.Logger;
@@ -50,14 +51,19 @@ public class TobagoServletContextListene
     if (LOG.isInfoEnabled()) {
       final TobagoConfig tobagoConfig = TobagoConfig.getInstance(servletContext);
       LOG.info("TobagoConfig: " + tobagoConfig);
-      if (tobagoConfig.isContentSecurityPolicyActive()) {
-        LOG.info("********************************************************************************");
-        LOG.info("* Note: CSP is activated!                                                      *");
-        LOG.info("* You may need to check application specific JavaScript code.                  *");
-        LOG.info("* Otherwise the application will not run in browsers, that are supporting CSP. *");
-        LOG.info("* For more information see http://myfaces.apache.org/tobago/migration-2.0.html *");
-        LOG.info("********************************************************************************");
+      final ContentSecurityPolicy.Mode mode = tobagoConfig.getContentSecurityPolicy().getMode();
+      StringBuilder builder = new StringBuilder();
+      builder.append("\n*************************************************************************************");
+      builder.append("\nNote: CSP is ");
+      builder.append(mode);
+      if (mode == ContentSecurityPolicy.Mode.ON) {
+        builder.append("\nYou may need to check application specific JavaScript code.");
+        builder.append("\nOtherwise the application will not run in modern browsers, that are supporting CSP.");
+        builder.append("\nFor more information see http://myfaces.apache.org/tobago/migration-2.0.html");
       }
+      builder.append("\n*************************************************************************************");
+      final String note = builder.toString();
+      LOG.info(note);
       LOG.info("ResourcesManager: " + ResourceManagerFactory.getResourceManager(servletContext));
     }
   }

Modified: myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd Tue Sep 10 13:36:06 2013
@@ -105,15 +105,14 @@
     <xs:sequence>
       <xs:element name="directive" type="xs:string" maxOccurs="unbounded" minOccurs="0"/>
     </xs:sequence>
-    <xs:attribute name="extension-mode"
-                  type="tobago:extension-mode-type"
-                  default="add"/>
+    <xs:attribute name="mode" type="tobago:scp-mode-type" use="required"/>
   </xs:complexType>
 
-  <xs:simpleType name="extension-mode-type">
+  <xs:simpleType name="scp-mode-type">
     <xs:restriction base="xs:token">
-      <xs:enumeration value="add"/>
-      <xs:enumeration value="replace"/>
+      <xs:enumeration value="on"/>
+      <xs:enumeration value="off"/>
+      <xs:enumeration value="report-only"/>
     </xs:restriction>
   </xs:simpleType>
 

Modified: myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/context/UserAgentUnitTest.java Tue Sep 10 13:36:06 2013
@@ -99,8 +99,12 @@ public class UserAgentUnitTest {
             "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3pre) Gecko/20100328 Ubuntu/9.10 (karmic) "
                 + "Namoroka/3.6.3pre"},
 
+        {"Firefox 23.0 - Mac OS X Mountain Lion",
+            UserAgent.GECKO_23_0,
+            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0"},
+
         {"Firefox 5.0 - Mac OS X Snow Leopard",
-            UserAgent.GECKO_5_0,
+            UserAgent.GECKO_2_0,
             "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20100101 Firefox/5.0"},
 
         {"Firefox 4.0 beta 2 - Mac OS X Snow Leopard",

Modified: myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMergingUnitTest.java Tue Sep 10 13:36:06 2013
@@ -68,9 +68,9 @@ public class TobagoConfigMergingUnitTest
     final TobagoConfigImpl config = loadAndMerge(
         "tobago-config-merge-0.xml");
 
-    Assert.assertTrue(config.isContentSecurityPolicyActive());
-    Assert.assertEquals(1, config.getContentSecurityPolicy().size());
-    Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().get(0));
+    Assert.assertTrue(config.getContentSecurityPolicy().getMode() == ContentSecurityPolicy.Mode.ON);
+    Assert.assertEquals(1, config.getContentSecurityPolicy().getDirectiveList().size());
+    Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().getDirectiveList().get(0));
   }
 
   @Test
@@ -81,10 +81,10 @@ public class TobagoConfigMergingUnitTest
         "tobago-config-merge-0.xml",
         "tobago-config-merge-1.xml");
 
-    Assert.assertTrue(config.isContentSecurityPolicyActive());
-    Assert.assertEquals(2, config.getContentSecurityPolicy().size());
-    Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().get(0));
-    Assert.assertEquals("image-src http://apache.org", config.getContentSecurityPolicy().get(1));
+    Assert.assertTrue(config.getContentSecurityPolicy().getMode() == ContentSecurityPolicy.Mode.REPORT_ONLY);
+    Assert.assertEquals(2, config.getContentSecurityPolicy().getDirectiveList().size());
+    Assert.assertEquals("default-src 'self'", config.getContentSecurityPolicy().getDirectiveList().get(0));
+    Assert.assertEquals("image-src http://apache.org", config.getContentSecurityPolicy().getDirectiveList().get(1));
   }
 
   @Test
@@ -96,8 +96,8 @@ public class TobagoConfigMergingUnitTest
         "tobago-config-merge-1.xml",
         "tobago-config-merge-2.xml");
 
-    Assert.assertFalse(config.isContentSecurityPolicyActive());
-    Assert.assertEquals(0, config.getContentSecurityPolicy().size());
+    Assert.assertTrue(config.getContentSecurityPolicy().getMode() == ContentSecurityPolicy.Mode.OFF);
+    Assert.assertEquals(2, config.getContentSecurityPolicy().getDirectiveList().size());
   }
 
   private TobagoConfigImpl loadAndMerge(String... names)

Modified: myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParserUnitTest.java Tue Sep 10 13:36:06 2013
@@ -70,11 +70,9 @@ public class TobagoConfigParserUnitTest 
     Assert.assertEquals(false, fragment.getCheckSessionSecret().booleanValue());
     Assert.assertEquals(false, fragment.getPreventFrameAttacks().booleanValue());
 
-    Assert.assertEquals(2, fragment.getContentSecurityPolicy().size());
-    Assert.assertEquals("default-src 'self'", fragment.getContentSecurityPolicy().get(0));
-    Assert.assertEquals("frame-src http://apache.org", fragment.getContentSecurityPolicy().get(1));
-    // todo: disabled
-    // todo: replace
+    Assert.assertEquals(2, fragment.getContentSecurityPolicy().getDirectiveList().size());
+    Assert.assertEquals("default-src 'self'", fragment.getContentSecurityPolicy().getDirectiveList().get(0));
+    Assert.assertEquals("frame-src http://apache.org", fragment.getContentSecurityPolicy().getDirectiveList().get(1));
 
     Assert.assertEquals(2, fragment.getRenderersConfig().getRendererConfigs().size());
     Assert.assertTrue(fragment.getRenderersConfig().isMarkupSupported("myRenderer-1", "my-markup-1"));

Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-2.0.xml Tue Sep 10 13:36:06 2013
@@ -48,7 +48,7 @@
   <check-session-secret>false</check-session-secret>
   <prevent-frame-attacks>false</prevent-frame-attacks>
 
-  <content-security-policy extension-mode="replace">
+  <content-security-policy mode="on">
     <directive>default-src 'self'</directive>
     <directive>frame-src http://apache.org</directive>
   </content-security-policy>

Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-0.xml Tue Sep 10 13:36:06 2013
@@ -27,7 +27,7 @@
 
   <prevent-frame-attacks>false</prevent-frame-attacks>
 
-  <content-security-policy>
+  <content-security-policy mode="on">
     <directive>default-src 'self'</directive>
   </content-security-policy>
 

Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-1.xml Tue Sep 10 13:36:06 2013
@@ -31,7 +31,7 @@
     </after>
   </ordering>
 
-  <content-security-policy>
+  <content-security-policy mode="report-only">
     <directive>image-src http://apache.org</directive>
   </content-security-policy>
 

Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-merge-2.xml Tue Sep 10 13:36:06 2013
@@ -31,7 +31,6 @@
     </after>
   </ordering>
 
-  <content-security-policy extension-mode="replace">
-  </content-security-policy>
+  <content-security-policy mode="off"/>
 
 </tobago-config>

Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-untidy-2.0.xml Tue Sep 10 13:36:06 2013
@@ -85,8 +85,7 @@
     false
   </prevent-frame-attacks>
 
-  <content-security-policy
-      extension-mode="replace">
+  <content-security-policy mode="on">
     <directive>
       default-src 'self'
     </directive>

Modified: myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml Tue Sep 10 13:36:06 2013
@@ -40,7 +40,7 @@
 
   <resource-dir>tobago-resource</resource-dir>
 
-  <content-security-policy>
+  <content-security-policy mode="on">
     <directive>frame-src https://maps.google.com</directive>
   </content-security-policy>
 

Added: myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml?rev=1521478&view=auto
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml (added)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/content/80-security/content-security-policy.xhtml Tue Sep 10 13:36:06 2013
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+-->
+
+<ui:composition template="/WEB-INF/tags/layout/overview.xhtml"
+                xmlns:tc="http://myfaces.apache.org/tobago/component"
+                xmlns:ui="http://java.sun.com/jsf/facelets"
+                xmlns:f="http://java.sun.com/jsf/core">
+  <ui:param name="title" value="Content Security Policy"/>
+
+  <tc:panel>
+    <f:facet name="layout">
+      <tc:gridLayout rows="100px;*;*" columns="*;*"/>
+    </f:facet>
+
+    <tc:out escape="false" value="  Tobago supports Content Security Policy (CSP) to prevent cross-site
+      scripting (XSS) and related attacks.
+      Specification link http://www.w3.org/TR/CSP/
+      In short: The HTML page doesn't contain any JavaScript or CSS information.
+      All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
+      If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
+    ">
+      <tc:gridLayoutConstraint columnSpan="2"/>
+    </tc:out>
+
+    <tc:box label="This box may be manipulated by JavaScript">
+      <tc:panel id="panel">
+        <tc:out value="When you can read this text, it hasn't been manipulated by JavaScript.
+        That means the CSP is working correctly."/>
+      </tc:panel>
+      <tc:script onload="cspDemo();">
+        // <![CDATA[
+        function cspDemo() {
+          jQuery(Tobago.Utils.escapeClientId("page:panel")).html(
+            "<span style='color: #ff0000; font-weight: bold;'>Attention: When you can read this text, the content was manipulated by JavaScript."
+            + " It seems, your browser doesn't support CSP!</span>");
+        }
+        // ]]>
+      </tc:script>
+    </tc:box>
+
+  </tc:panel>
+</ui:composition>

Modified: myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-test/src/main/webapp/WEB-INF/tobago-config.xml Tue Sep 10 13:36:06 2013
@@ -33,7 +33,7 @@
   <prevent-frame-attacks>false</prevent-frame-attacks>
 
   <!-- this disables CSP -->
-  <content-security-policy extension-mode="replace"/>
+  <content-security-policy mode="report-only"/>
 
   <renderers>
     <renderer>

Modified: myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-test/src/test/java/org/apache/myfaces/tobago/example/test/TestTheAutomaticSeleniumTest.java Tue Sep 10 13:36:06 2013
@@ -85,6 +85,7 @@ public class TestTheAutomaticSeleniumTes
     } catch (AssertionError e) { // from IDE
       Assert.assertTrue(e.getMessage().contains("404 - page not found"));
     } catch (SeleniumException e) { // from mvn -Pintegration-test
+      LOG.info("Exception: '" + e.getMessage() + "'");
       Assert.assertTrue(e.getMessage().contains("Response_Code = 404"));
     }
   }

Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java Tue Sep 10 13:36:06 2013
@@ -142,9 +142,7 @@ public class PageRenderer extends PageRe
 
     ResponseUtils.ensureNoCacheHeader(facesContext);
 
-    if (tobagoConfig.isContentSecurityPolicyActive()) {
-      ResponseUtils.ensureContentSecurityPolicyHeader(facesContext, tobagoConfig.getContentSecurityPolicy());
-    }
+    ResponseUtils.ensureContentSecurityPolicyHeader(facesContext, tobagoConfig.getContentSecurityPolicy());
 
     if (LOG.isDebugEnabled()) {
       for (Object o : page.getAttributes().entrySet()) {

Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml?rev=1521478&r1=1521477&r2=1521478&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/resources/META-INF/tobago-config.xml Tue Sep 10 13:36:06 2013
@@ -27,7 +27,7 @@
 
   <resource-dir>org/apache/myfaces/tobago/renderkit</resource-dir>
 
-  <content-security-policy>
+  <content-security-policy mode="on">
     <directive>default-src 'self'</directive>
   </content-security-policy>
 



Mime
View raw message